CVE-2026-27730: The Proxy that Talked Too Much: Breaking esm.sh with SSRF

# security# cve# cybersecurity
CVE-2026-27730: The Proxy that Talked Too Much: Breaking esm.sh with SSRFCVE Reports

The Proxy that Talked Too Much: Breaking esm.sh with SSRF Vulnerability ID:...

The Proxy that Talked Too Much: Breaking esm.sh with SSRF

Vulnerability ID: CVE-2026-27730
CVSS Score: 8.6
Published: 2026-02-25

A critical Server-Side Request Forgery (SSRF) vulnerability in esm.sh allowed attackers to bypass string-based hostname validation using DNS aliases. By masking internal IP addresses behind innocent-looking domain names, attackers could trick the CDN into scanning local networks or retrieving cloud metadata. While a patch attempted to pin hosts during redirects, the fundamental flaw of validating hostnames before DNS resolution remains a classic example of 'checking the ID card but ignoring the face'.

TL;DR

Critical SSRF in esm.sh allows internal network access via DNS aliasing. The application validated URL strings instead of resolved IPs, enabling attackers to bypass 'localhost' blocks using domains like '127.0.0.1.nip.io'.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-918
  • Attack Vector: Network
  • CVSS v3.0: 8.6 (High)
  • Attack Complexity: Low
  • Privileges Required: None
  • Exploit Maturity: Proof of Concept

Affected Systems

  • esm.sh <= v136
  • esm.sh: <= 137 (Fixed in: 137)

Code Analysis

Commit: 0593516

fix: prevent ssrf redirect

Client.CheckRedirect = func(req *http.Request, via []*http.Request) error { ... }
Enter fullscreen mode Exit fullscreen mode

Exploit Details

Mitigation Strategies

  • Input Validation: Validate resolved IP addresses, not just hostnames.
  • Network Segmentation: Block egress traffic to internal networks via firewall rules.
  • Disable Redirects: Enforce strict redirect policies (implemented in v137).

Remediation Steps:

  1. Update esm.sh to version 137 or later immediately.
  2. Configure the host server's firewall (iptables/UFW) to drop outgoing packets to 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, and 127.0.0.0/8.
  3. If running in AWS, ensure IMDSv2 is enforced (require session tokens).

References

Read the full report for CVE-2026-27730 on our website for more details including interactive diagrams and full exploit analysis.