CVE-2025-50180

Published February 25th, 2026

View on NVD ↗

CVSS v3

7.5

HIGH

CVSS v2

N/A

Affected

PROJECT

Description

esm.sh is a no-build content delivery network (CDN) for web development. In version 136, esm.sh is vulnerable to a full-response SSRF, allowing an attacker to retrieve information from internal websites through the vulnerability. Version 137 fixes the vulnerability.

esm-dev/esm.sh

A no-build JavaScript CDN for modern web development.

GitHub

4.1K