5 matches found
CVE-2025-50180 esm.sh is vulnerable to full-response SSRF
esm.sh is a no-build content delivery network CDN for web development. In version 136, esm.sh is vulnerable to a full-response SSRF, allowing an attacker to retrieve information from internal websites through the vulnerability. Version 137 fixes the vulnerability...
CVE-2025-50180 esm.sh is vulnerable to full-response SSRF
esm.sh is a no-build content delivery network CDN for web development. In version 136, esm.sh is vulnerable to a full-response SSRF, allowing an attacker to retrieve information from internal websites through the vulnerability. Version 137 fixes the vulnerability...
GHSA-3C9R-837R-QQM4 esm.sh is vulnerable to full-response SSRF
Summary esh.sh is vulnerable to a full-response SSRF, allowing an attacker to retrieve information from internal websites through the vulnerability. Details Vulnerable code location: https://github.com/esm-dev/esm.sh/blob/f80ff8c8d58749e77fa964abde468fc61f8bd89e/server/router.goL511 If the intern...
CVE-2025-65025 esm.sh CDN service has arbitrary file write via tarslip
esm.sh is a nobuild content delivery networkCDN for modern web development. Prior to version 136, the esm.sh CDN service is vulnerable to path traversal during NPM package tarball extraction. An attacker can craft a malicious NPM package containing specially crafted file paths e.g.,...
PT-2025-38247
Name of the Vulnerable Software and Affected Versions esm.sh versions prior to 136 Description A Local File Inclusion LFI issue was identified in the esm.sh service URL handling. An attacker could craft a request that causes the server to read and return files from the host filesystem or other...