CVE-2025-50180
Published: 25 February 2026
Summary
CVE-2025-50180 is a high-severity SSRF (CWE-918) vulnerability in Esm Esm.Sh. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing attempts server-side requests to internal resources, identifying SSRF weaknesses for remediation.
Outbound connections to external resources can be monitored and limited at the boundary, reducing SSRF impact.
Validates server-side URLs and resource references to block SSRF attempts.
Detects server-side request forgery through monitoring of unexpected outbound connections.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in public-facing esm.sh service directly enables T1190 for remote exploitation; explicit mention of metadata service access enables T1552.005 for credential retrieval.
NVD Description
esm.sh is a no-build content delivery network (CDN) for web development. In version 136, esm.sh is vulnerable to a full-response SSRF, allowing an attacker to retrieve information from internal websites through the vulnerability. Version 137 fixes the vulnerability.
Deeper analysisAI
CVE-2025-50180 is a full-response Server-Side Request Forgery (SSRF) vulnerability (CWE-918) affecting esm.sh, a no-build content delivery network (CDN) used in web development. The issue exists in version 136 of esm.sh, where attackers can exploit it to retrieve information from internal websites. The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with network accessibility, low attack complexity, and no requirements for privileges or user interaction.
Unauthenticated attackers can exploit this vulnerability remotely by crafting requests to esm.sh version 136, tricking the service into making requests to arbitrary internal endpoints and returning full responses. Successful exploitation allows retrieval of sensitive data from internal networks, such as metadata services or private APIs, without impacting integrity or availability.
Mitigation involves upgrading to esm.sh version 137, which addresses the vulnerability as detailed in the release notes and associated pull request #1149. The fix is implemented in the fetch handling code (internal/fetch/fetch.go) and router logic (server/router.go), with the specific commit 0593516c4cfab49ad3b4900416a8432ff2e23eb0 resolving the SSRF issue.
Details
- CWE(s)