CVE-2026-27730 – CVE-2026-27730 is a Server-Side Request Forgery... (How to Fix)

Q: What is the severity of CVE-2026-27730?

CVE-2026-27730 has a CVSS score of 7.5 (HIGH). CVE-2026-27730 is a Server-Side Request Forgery (SSRF) vulnerability in esm.sh's fetch route that allows attackers to bypass hostname-based validation using DNS alias domains. This enables external requesters to make the esm.sh server fetch internal localhost services. Anyone using esm.sh versions up to 137 is affected.

📋 TL;DR

CVE-2026-27730 is a Server-Side Request Forgery (SSRF) vulnerability in esm.sh's fetch route that allows attackers to bypass hostname-based validation using DNS alias domains. This enables external requesters to make the esm.sh server fetch internal localhost services. Anyone using esm.sh versions up to 137 is affected.

💻 Affected Systems

Products:

esm.sh

Versions: Versions up to and including 137

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments using the vulnerable fetch route are affected regardless of configuration.

📦 What is this software?

Esm.sh by Esm

View all CVEs affecting Esm.sh →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access sensitive internal services, steal credentials, pivot to internal networks, or execute arbitrary code on internal systems.

🟠

Likely Case

Information disclosure from internal services, enumeration of internal network resources, and potential data exfiltration.

🟢

If Mitigated

Limited to reconnaissance of internal services with proper network segmentation and egress filtering in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only HTTP requests with DNS alias domains to bypass hostname validation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: None

Vendor Advisory: https://github.com/esm-dev/esm.sh/security/advisories/GHSA-p2v6-84h2-5x4r

Restart Required: Yes

Instructions:

No official patch available. Monitor the vendor advisory for updates and patch immediately when available.

🔧 Temporary Workarounds

Disable vulnerable fetch route

all

Temporarily disable the /http(s) fetch route in esm.sh configuration

Modify esm.sh configuration to disable the vulnerable endpoint

Network egress filtering

all

Implement strict egress filtering to prevent esm.sh from accessing internal networks

Configure firewall rules to block esm.sh from initiating connections to internal IP ranges

🧯 If You Can't Patch

Implement strict network segmentation to isolate esm.sh from sensitive internal services
Deploy a WAF with SSRF protection rules to block malicious requests

🔍 How to Verify

Check if Vulnerable:

Check if esm.sh version is ≤137 and the /http(s) fetch route is enabled

Check Version:

Check esm.sh server logs or configuration for version information

Verify Fix Applied:

Test if DNS alias domains can no longer bypass hostname validation when making requests

📡 Detection & Monitoring

Log Indicators:

Unusual DNS alias domain requests to /http(s) endpoints
Requests to internal IP addresses from esm.sh

Network Indicators:

esm.sh server making outbound connections to internal IP ranges
DNS queries for localhost aliases

SIEM Query:

source="esm.sh" AND (url_path="/http" OR url_path="/https") AND (dns_query="localhost" OR dest_ip=10.0.0.0/8 OR dest_ip=172.16.0.0/12 OR dest_ip=192.168.0.0/16)

📊 Metadata

CVE ID: CVE-2026-27730

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-918

Published: February 25, 2026

Last Updated: February 27, 2026

🔗 References

https://github.com/esm-dev/esm.sh/security/advisories/GHSA-p2v6-84h2-5x4r Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-27730, you might also want to check these: