CVE-2026-27730 - Vulnerability Details

- esm.sh has SSRF localhost/private-network bypass in `/http(s)` module route

Description

esm.sh is a no-build content delivery network (CDN) for web development. Versions up to and including 137 have an SSRF vulnerability (CWE-918) in esm.sh’s `/http(s)` fetch route. The service tries to block localhost/internal targets, but the validation is based on hostname string checks and can be bypassed using DNS alias domains. This allows an external requester to make the esm.sh server fetch internal localhost services. As of time of publication, no known patched versions exist.

Published: 2026-02-25

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

esm.sh is a CDN that fetches JavaScript packages via a public /http(s) route. A flaw (CWE‑918) in that endpoint allows an attacker to bypass the check that blocks localhost and internal targets by using DNS alias domains, turning the service into an SSRF tool capable of requesting internal localhost services. This can expose data or services that should remain private to an external attacker, and as of the time of publication no patched versions are available.

Affected Systems

The vulnerable product is esm.sh, maintained by esm-dev, with releases up to and including version 137 affected. No newer versions were available at the time of publication.

Risk and Exploitability

The CVSS base score of 7.5 indicates high severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation. The vulnerability is not yet listed in the CISA KEV catalog. An external attacker can trigger the SSRF by sending HTTP requests to the /http(s) endpoint with crafted URLs, demonstrating a remote network attack vector and relying on the CDN’s ability to resolve arbitrary DNS queries.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

esm-dev

esm.sh

affected

Version	Status	Constraints
`<= 137`	affected	—

Configuration 1 [-]

cpe:2.3:a:esm:esm.sh:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Esm-dev

Esmsh

96%

Version	Status	Scheme	Platform
`[0,137]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Block outbound traffic from your esm.sh instance to internal IP ranges (127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) using firewall rules.
Disable or restrict the /http(s) fetch endpoint if a direct package fetch from your origin servers is possible.
Monitor requests to the /http(s) endpoint for unusual or internal hostname patterns and investigate anomalous traffic.

Generated by OpenCVE AI on April 18, 2026 at 10:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-p2v6-84h2-5x4r	esm.sh has SSRF localhost/private-network bypass in `/http(s)` module route

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00064.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/esm-dev/esm.sh/security/advisories/GHSA-p2v6-84h2-5x4r

History

Fri, 27 Feb 2026 17:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Esm Esm esm.sh
CPEs		cpe:2.3:a:esm:esm.sh::::::::
Vendors & Products		Esm Esm esm.sh
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}`

Thu, 26 Feb 2026 13:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Esm-dev Esm-dev esmsh
Vendors & Products		Esm-dev Esm-dev esmsh

Wed, 25 Feb 2026 16:15:00 +0000

Type	Values Removed	Values Added
Description		esm.sh is a no-build content delivery network (CDN) for web development. Versions up to and including 137 have an SSRF vulnerability (CWE-918) in esm.sh’s `/http(s)` fetch route. The service tries to block localhost/internal targets, but the validation is based on hostname string checks and can be bypassed using DNS alias domains. This allows an external requester to make the esm.sh server fetch internal localhost services. As of time of publication, no known patched versions exist.
Title		esm.sh has SSRF localhost/private-network bypass in `/http(s)` module route
Weaknesses		CWE-918
References		https://github.com/esm-dev/esm.sh/security/advisories/GHSA-p2v6-84h2-5x4r
Metrics		cvssV3_0 `{'score': 8.6, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N'}`

Subscriptions

Esm Esm.sh

Esm-dev Esmsh

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-02-25T15:37:01.753Z

Updated: 2026-02-25T20:32:05.079Z

Reserved: 2026-02-23T18:37:14.789Z

Link: CVE-2026-27730

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-02-25T16:23:27.123

Modified: 2026-02-27T17:43:47.737

Link: CVE-2026-27730

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T10:45:43Z

Weaknesses

CWE-918

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object