CVE-2025-50180 is a Server-Side Request Forgery (SSRF) vulnerability classified under CWE-918, discovered in esm.sh version 136, a no-build CDN widely used in web development to serve JavaScript modules without requiring local builds. SSRF vulnerabilities allow attackers to abuse a vulnerable server to make HTTP requests to arbitrary URLs, including internal or protected network resources that are otherwise inaccessible externally. In this case, esm.sh version 136 permits an attacker to perform a full-response SSRF, meaning the attacker can not only trigger requests but also retrieve the full HTTP response content from internal endpoints. This can lead to unauthorized disclosure of sensitive information such as internal APIs, metadata services, or other protected resources. The vulnerability requires no authentication or user interaction, making it remotely exploitable over the network with low complexity. The CVSS 4.0 base score of 8.7 reflects these factors: network attack vector, no privileges or user interaction required, and high impact on confidentiality and integrity. The vulnerability was reserved in June 2025 and published in February 2026. Version 137 of esm.sh contains the fix, which likely involves input validation or request filtering to prevent SSRF exploitation. No known public exploits or active exploitation in the wild have been reported to date. However, given esm.sh's role as a CDN in modern web development, the vulnerability poses a serious risk to organizations relying on it for module delivery and internal resource protection.

The SSRF vulnerability in esm.sh version 136 can have severe consequences for organizations worldwide. Attackers can leverage the vulnerability to access internal network resources that are typically shielded from external access, such as internal APIs, cloud metadata services, or private databases. This can lead to unauthorized disclosure of sensitive information, including credentials, configuration data, or personally identifiable information. Additionally, SSRF can be a stepping stone for further attacks, such as lateral movement within the network or exploitation of other internal vulnerabilities. Since esm.sh is a CDN used in web development, compromised environments may include development, staging, or production systems, increasing the risk of supply chain attacks or data breaches. The lack of authentication and user interaction requirements means attackers can exploit the vulnerability remotely and at scale. Organizations that rely heavily on esm.sh or similar CDNs for JavaScript module delivery are particularly at risk, especially those with complex internal network architectures or cloud environments where metadata services are accessible internally. The potential impact extends to confidentiality and integrity of data, with availability impact being less direct but possible if internal services are overwhelmed or manipulated.

To mitigate this vulnerability, organizations should immediately upgrade esm.sh to version 137 or later, where the SSRF flaw has been fixed. If upgrading is not immediately feasible, organizations should implement network-level controls to restrict outbound HTTP requests from esm.sh servers to only trusted destinations, effectively limiting SSRF exploitation scope. Web application firewalls (WAFs) or intrusion detection systems (IDS) can be configured to detect and block suspicious SSRF patterns or unusual internal requests originating from esm.sh. Additionally, internal services should enforce strict access controls and authentication, minimizing the impact if SSRF is exploited. Developers should audit their use of esm.sh to ensure no sensitive internal URLs are exposed or accessible through the CDN. Monitoring and logging of outbound requests from esm.sh infrastructure can help detect exploitation attempts early. Finally, organizations should educate developers and security teams about SSRF risks and ensure secure coding practices to prevent similar vulnerabilities in custom code.