CVE-2026-27730
HIGH
GHSA-p2v6-84h2-5x4r
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4Description
esm.sh is a no-build content delivery network (CDN) for web development. Versions up to and including 137 have an SSRF vulnerability (CWE-918) in esm.sh’s `/http(s)` fetch route. The service tries to block localhost/internal targets, but the validation is based on hostname string checks and can be bypassed using DNS alias domains. This allows an external requester to make the esm.sh server fetch internal localhost services. As of time of publication, no known patched versions exist.
Analysis
esm.sh versions up to 137 contain an SSRF vulnerability in the `/http(s)` fetch route that allows remote attackers to bypass hostname validation through DNS alias domains and access internal localhost services. Public exploit code exists for this vulnerability, and no patches are currently available. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all internal applications and services using esm.sh and assess exposure to the `/http(s)` endpoint; implement network-level access controls to restrict esm.sh from reaching internal systems. Within 7 days: Deploy WAF rules to block suspicious `/http(s)` requests and monitor for exploitation attempts; evaluate alternative CDN providers or maintained esm.sh forks. …
Sign in for detailed remediation steps.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today