esm.sh Server-Side Request Forgery Vulnerability Allowing Access to Internal Services

A server-side request forgery (SSRF) vulnerability has been identified in esm.sh, a no-build content delivery network (CDN) for web development. This vulnerability exists in versions of esm.sh through 137, specifically within the '/http(s)' fetch route. The service attempts to block requests to localhost and internal targets, but this validation relies on hostname string checks that can be circumvented using DNS alias domains. As a result, an external requester can manipulate the esm.sh server into fetching data from internal localhost services. At the time of publication, no patched versions are available.

Impact

Exploitation of this vulnerability allows external access to internal localhost services via the esm.sh '/http(s)' route, potentially leading to unauthorized exposure of sensitive internal endpoints or resources.

Reproduction

The vulnerability can be reproduced by deploying esm.sh in a Docker container and exposing the '/http(s)' fetch route. Afterward, an internal service can be set up in the same network namespace, such as a Flask application running on localhost. Once the internal service is running, a request can be made to the esm.sh endpoint using a DNS alias that resolves to localhost, bypassing the service's validation and accessing the internal service's response.