CVE-2026-27730
published 2026-02-25CVE-2026-27730: esm.sh is a no-build content delivery network (CDN) for web development. Versions up to and including 137 have an SSRF vulnerability (CWE-918) in esm.sh’s…
PriorityP349high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.34%
25.8th percentile
esm.sh is a no-build content delivery network (CDN) for web development. Versions up to and including 137 have an SSRF vulnerability (CWE-918) in esm.sh’s `/http(s)` fetch route. The service tries to block localhost/internal targets, but the validation is based on hostname string checks and can be bypassed using DNS alias domains. This allows an external requester to make the esm.sh server fetch internal localhost services. As of time of publication, no known patched versions exist.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| esm-dev | esm.sh | <= 137 | — |
| esm | esm.sh | <= 137 | — |
| github.com | esm-dev_esm.sh | >= 0 < 0.0.0-20250616164159-0593516c4cfa | 0.0.0-20250616164159-0593516c4cfa |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv3.08.6HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
esm.sh has SSRF localhost/private-network bypass in `/http(s)` module route in github.com/esm-dev/esm.sh
osv·2026-02-27
CVE-2026-27730 esm.sh has SSRF localhost/private-network bypass in `/http(s)` module route in github.com/esm-dev/esm.sh
esm.sh has SSRF localhost/private-network bypass in `/http(s)` module route in github.com/esm-dev/esm.sh
esm.sh has SSRF localhost/private-network bypass in `/http(s)` module route in github.com/esm-dev/esm.sh
GHSA
esm.sh has SSRF localhost/private-network bypass in `/http(s)` module route
ghsa·2026-02-25
CVE-2026-27730 [HIGH] CWE-918 esm.sh has SSRF localhost/private-network bypass in `/http(s)` module route
esm.sh has SSRF localhost/private-network bypass in `/http(s)` module route
### Summary
An SSRF vulnerability (CWE-918) exists in esm.sh’s `/http(s)` fetch route.
The service tries to block localhost/internal targets, but the validation is based on hostname string checks and can be bypassed using DNS alias domains (for example, `127.0.0.1.nip.io` resolving to `127.0.0.1`).
This allows an external requester to make the esm.sh server fetch internal localhost services.
Severity: High (depending on deployment network exposure).
### Details
The vulnerable flow starts at the route handling user-controlled remote URLs:
- `server/router.go:532`
- Accepts paths beginning with `/http://` or `/https://`.
```go
if strings.HasPrefix(pathname, "/http://") || strings.HasPrefix(pathname, "/https://") {
OSV
esm.sh has SSRF localhost/private-network bypass in `/http(s)` module route
osv·2026-02-25
CVE-2026-27730 [HIGH] esm.sh has SSRF localhost/private-network bypass in `/http(s)` module route
esm.sh has SSRF localhost/private-network bypass in `/http(s)` module route
### Summary
An SSRF vulnerability (CWE-918) exists in esm.sh’s `/http(s)` fetch route.
The service tries to block localhost/internal targets, but the validation is based on hostname string checks and can be bypassed using DNS alias domains (for example, `127.0.0.1.nip.io` resolving to `127.0.0.1`).
This allows an external requester to make the esm.sh server fetch internal localhost services.
Severity: High (depending on deployment network exposure).
### Details
The vulnerable flow starts at the route handling user-controlled remote URLs:
- `server/router.go:532`
- Accepts paths beginning with `/http://` or `/https://`.
```go
if strings.HasPrefix(pathname, "/http://") || strings.HasPrefix(pathname, "/https://") {
No detection rules found.
No public exploits indexed.
2026-02-25
Published