{"id":"CVE-2025-50180","summary":"esm.sh is vulnerable to full-response SSRF","details":"esm.sh is a no-build content delivery network (CDN) for web development. In version 136, esm.sh is vulnerable to a full-response SSRF, allowing an attacker to retrieve information from internal websites through the vulnerability. Version 137 fixes the vulnerability.","aliases":["GHSA-3c9r-837r-qqm4","GO-2026-4545"],"modified":"2026-04-10T05:29:52.674768Z","published":"2026-02-25T15:32:56.449Z","related":["SUSE-SU-2026:0757-1"],"database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-918"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/50xxx/CVE-2025-50180.json"},"references":[{"type":"WEB","url":"https://github.com/esm-dev/esm.sh/blob/f80ff8c8d58749e77fa964abde468fc61f8bd89e/internal/fetch/fetch.go#L13"},{"type":"WEB","url":"https://github.com/esm-dev/esm.sh/blob/f80ff8c8d58749e77fa964abde468fc61f8bd89e/server/router.go#L511"},{"type":"WEB","url":"https://github.com/esm-dev/esm.sh/releases/tag/v137"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/50xxx/CVE-2025-50180.json"},{"type":"ADVISORY","url":"https://github.com/esm-dev/esm.sh/security/advisories/GHSA-3c9r-837r-qqm4"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-50180"},{"type":"FIX","url":"https://github.com/esm-dev/esm.sh/commit/0593516c4cfab49ad3b4900416a8432ff2e23eb0"},{"type":"FIX","url":"https://github.com/esm-dev/esm.sh/pull/1149"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/esm-dev/esm.sh","events":[{"introduced":"0"},{"fixed":"0593516c4cfab49ad3b4900416a8432ff2e23eb0"}]}],"versions":["v100","v101","v102","v103","v104","v105","v106","v107","v108","v109","v110","v111","v112","v113","v114","v115","v116","v117","v119","v120","v121","v122","v123","v124","v125","v126","v127","v128","v129","v130","v131","v132","v133","v134","v135","v135_1","v136","v34","v35","v37","v38","v39","v40","v41","v43","v44","v45","v46","v47","v49","v50","v51","v52","v53","v55","v56","v57","v59","v60","v61","v62","v63","v64","v65","v66","v67","v68","v69","v70","v71","v72","v73","v74","v75","v76","v77","v78","v79","v80","v81","v82","v83","v84","v85","v86","v87","v88","v89","v90","v91","v92","v93","v94","v95","v96","v97","v98","v99"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-50180.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"}]}