CVE-2025-68458
Unknown Unknown - Not Provided
SSRF and Allow-List Bypass in Webpack HTTP Resolver

Publication date: 2026-02-05

Last updated on: 2026-02-13

Assigner: GitHub, Inc.

Description
Webpack is a module bundler. From version 5.49.0 to before 5.104.1, when experiments.buildHttp is enabled, webpack’s HTTP(S) resolver (HttpUriPlugin) can be bypassed to fetch resources from hosts outside allowedUris by using crafted URLs that include userinfo (username:password@host). If allowedUris enforcement relies on a raw string prefix check (e.g., uri.startsWith(allowed)), a URL that looks allow-listed can pass validation while the actual network request is sent to a different authority/host after URL parsing. This is a policy/allow-list bypass that enables build-time SSRF behavior (outbound requests from the build machine to internal-only endpoints, depending on network access) and untrusted content inclusion (the fetched response is treated as module source and bundled). This issue has been patched in version 5.104.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-05
Last Modified
2026-02-13
Generated
2026-06-16
AI Q&A
2026-02-06
EPSS Evaluated
2026-06-14
NVD
CVE-2025-68458
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
webpack.js webpack From 5.49.0 (inc) to 5.104.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Webpack versions from 5.49.0 to before 5.104.1 when the experiments.buildHttp feature is enabled. It allows an attacker to bypass the HTTP(S) resolver's allowedUris restriction by using specially crafted URLs that include userinfo (username:password@host). If the allowedUris enforcement relies on a simple string prefix check, an attacker can craft a URL that appears to be allowed but actually causes the network request to be sent to a different host after URL parsing.

This bypass leads to a policy or allow-list bypass, enabling build-time Server-Side Request Forgery (SSRF) behavior. This means outbound requests can be made from the build machine to internal-only endpoints depending on network access. Additionally, it allows untrusted content inclusion because the fetched response is treated as module source and bundled into the build.

The issue was fixed in Webpack version 5.104.1.

Impact Analysis

This vulnerability can impact you by allowing attackers to perform Server-Side Request Forgery (SSRF) during the build process. This means that the build machine can be tricked into making unauthorized outbound requests to internal or restricted network endpoints.

Such unauthorized requests can expose internal services or data that are not meant to be accessible externally. Furthermore, because the fetched content is treated as module source and bundled, it can lead to the inclusion of untrusted or malicious code in your build output, potentially compromising the security and integrity of your application.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, upgrade webpack to version 5.104.1 or later where the issue has been patched.

Additionally, if you rely on allowedUris for URL validation, ensure that the validation logic does not rely solely on raw string prefix checks like uri.startsWith(allowed), as this can be bypassed.

Consider disabling the experiments.buildHttp feature if it is not required, to reduce exposure.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68458. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart