CVE-2026-27730: The Proxy that Talked Too Much: Breaking esm.sh with SSRF

#security #cve #cybersecurity

The Proxy that Talked Too Much: Breaking esm.sh with SSRF

Vulnerability ID: CVE-2026-27730
CVSS Score: 8.6
Published: 2026-02-25

A critical Server-Side Request Forgery (SSRF) vulnerability in esm.sh allowed attackers to bypass string-based hostname validation using DNS aliases. By masking internal IP addresses behind innocent-looking domain names, attackers could trick the CDN into scanning local networks or retrieving cloud metadata. While a patch attempted to pin hosts during redirects, the fundamental flaw of validating hostnames before DNS resolution remains a classic example of 'checking the ID card but ignoring the face'.

TL;DR

Critical SSRF in esm.sh allows internal network access via DNS aliasing. The application validated URL strings instead of resolved IPs, enabling attackers to bypass 'localhost' blocks using domains like '127.0.0.1.nip.io'.

⚠️ Exploit Status: POC

Technical Details

CWE ID: CWE-918
Attack Vector: Network
CVSS v3.0: 8.6 (High)
Attack Complexity: Low
Privileges Required: None
Exploit Maturity: Proof of Concept

Affected Systems

esm.sh <= v136
esm.sh: <= 137 (Fixed in: 137)

Code Analysis

Commit: 0593516

fix: prevent ssrf redirect

Client.CheckRedirect = func(req *http.Request, via []*http.Request) error { ... }

Exploit Details

Research Analysis: DNS alias bypass using nip.io domains

Mitigation Strategies

Input Validation: Validate resolved IP addresses, not just hostnames.
Network Segmentation: Block egress traffic to internal networks via firewall rules.
Disable Redirects: Enforce strict redirect policies (implemented in v137).

Remediation Steps:

Update esm.sh to version 137 or later immediately.
Configure the host server's firewall (iptables/UFW) to drop outgoing packets to 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, and 127.0.0.0/8.
If running in AWS, ensure IMDSv2 is enforced (require session tokens).