CVE-2025-50180
published 2026-02-25CVE-2025-50180: esm.sh is a no-build content delivery network (CDN) for web development. In version 136, esm.sh is vulnerable to a full-response SSRF, allowing an attacker to…
PriorityP344high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.38%
29.9th percentile
esm.sh is a no-build content delivery network (CDN) for web development. In version 136, esm.sh is vulnerable to a full-response SSRF, allowing an attacker to retrieve information from internal websites through the vulnerability. Version 137 fixes the vulnerability.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| esm-dev | esm.sh | — | — |
| esm | esm.sh | < 137 | 137 |
| github.com | esm-dev_esm.sh | >= 0 < 0.0.0-20250616164159-0593516c4cfa | 0.0.0-20250616164159-0593516c4cfa |
| msrc | cbl2_kernel_5.15.167.1-2_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_kernel_5.15.173.1-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_msrc7.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
esm.sh is vulnerable to full-response SSRF in github.com/esm-dev/esm.sh
osv·2026-02-25
CVE-2025-50180 esm.sh is vulnerable to full-response SSRF in github.com/esm-dev/esm.sh
esm.sh is vulnerable to full-response SSRF in github.com/esm-dev/esm.sh
esm.sh is vulnerable to full-response SSRF in github.com/esm-dev/esm.sh
OSV
esm.sh is vulnerable to full-response SSRF
osv·2026-02-25
CVE-2025-50180 [HIGH] esm.sh is vulnerable to full-response SSRF
esm.sh is vulnerable to full-response SSRF
### Summary
esh.sh is vulnerable to a full-response SSRF, allowing an attacker to retrieve information from internal websites through the vulnerability.
### Details
Vulnerable code location: https://github.com/esm-dev/esm.sh/blob/f80ff8c8d58749e77fa964abde468fc61f8bd89e/server/router.go#L511
If the internal address has a suffix listed below, the attacker can obtain content from the specified internal address.
eg: https://esm.sh/https://local.site/test.md
```
".js", ".ts", ".mjs", ".mts", ".jsx", ".tsx", ".cjs", ".cts", ".vue", ".svelte", ".md", ".css"
```
A 302 redirect can be used to bypass the suffix restriction.
eg: https://esm.sh/https://attacker.site/test.md
https://attacker.site/test.md 302 redirect to http://169.254.169.254/v1.jso
GHSA
esm.sh is vulnerable to full-response SSRF
ghsa·2026-02-25
CVE-2025-50180 [HIGH] CWE-918 esm.sh is vulnerable to full-response SSRF
esm.sh is vulnerable to full-response SSRF
### Summary
esh.sh is vulnerable to a full-response SSRF, allowing an attacker to retrieve information from internal websites through the vulnerability.
### Details
Vulnerable code location: https://github.com/esm-dev/esm.sh/blob/f80ff8c8d58749e77fa964abde468fc61f8bd89e/server/router.go#L511
If the internal address has a suffix listed below, the attacker can obtain content from the specified internal address.
eg: https://esm.sh/https://local.site/test.md
```
".js", ".ts", ".mjs", ".mts", ".jsx", ".tsx", ".cjs", ".cts", ".vue", ".svelte", ".md", ".css"
```
A 302 redirect can be used to bypass the suffix restriction.
eg: https://esm.sh/https://attacker.site/test.md
https://attacker.site/test.md 302 redirect to http://169.254.169.254/v1.jso
Microsoft
fbdev: sisfb: Fix strbuf array overflow
vendor_msrc·2024-11-12·CVSS 7.8
CVE-2024-50180 [HIGH] CWE-787 fbdev: sisfb: Fix strbuf array overflow
fbdev: sisfb: Fix strbuf array overflow
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
Linux: Linux
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://learn.microsoft.com/e
No detection rules found.
No public exploits indexed.
https://github.com/esm-dev/esm.sh/blob/f80ff8c8d58749e77fa964abde468fc61f8bd89e/internal/fetch/fetch.go#L13https://github.com/esm-dev/esm.sh/blob/f80ff8c8d58749e77fa964abde468fc61f8bd89e/server/router.go#L511https://github.com/esm-dev/esm.sh/commit/0593516c4cfab49ad3b4900416a8432ff2e23eb0https://github.com/esm-dev/esm.sh/pull/1149https://github.com/esm-dev/esm.sh/releases/tag/v137https://github.com/esm-dev/esm.sh/security/advisories/GHSA-3c9r-837r-qqm4
2026-02-25
Published