CVE-2025-50180

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-50180

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-50180.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-50180

Aliases

Downstream

SUSE-SU-2026:0757-1

Related

SUSE-SU-2026:0757-1

Published

2026-02-25T15:32:56.449Z

Modified

2026-03-04T22:29:04.984096Z

Severity

8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

esm.sh is vulnerable to full-response SSRF

Details

esm.sh is a no-build content delivery network (CDN) for web development. In version 136, esm.sh is vulnerable to a full-response SSRF, allowing an attacker to retrieve information from internal websites through the vulnerability. Version 137 fixes the vulnerability.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/50xxx/CVE-2025-50180.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-918"
    ]
}

References

Affected packages

Git / github.com/esm-dev/esm.sh

Affected ranges

Type: GIT
Repo: https://github.com/esm-dev/esm.sh
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

bb69b0306fb6d45f6c3919b4457e57a72ed14236

Affected versions

Other

v100

v101

v102

v103

v104

v105

v106

v107

v108

v109

v110

v111

v112

v113

v114

v115

v116

v117

v119

v120

v121

v122

v123

v124

v125

v126

v127

v128

v129

v130

v131

v132

v133

v134

v135

v135_1

v136

v136_1

v137

v34

v35

v37

v38

v39

v40

v41

v43

v44

v45

v46

v47

v49

v50

v51

v52

v53

v55

v56

v57

v59

v60

v61

v62

v63

v64

v65

v66

v67

v68

v69

v70

v71

v72

v73

v74

v75

v76

v77

v78

v79

v80

v81

v82

v83

v84

v85

v86

v87

v88

v89

v90

v91

v92

v93

v94

v95

v96

v97

v98

v99

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-50180.json"