CVE-2025-68458
SSRF and Allow-List Bypass in Webpack HTTP Resolver
Publication date: 2026-02-05
Last updated on: 2026-02-13
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| webpack.js | webpack | From 5.49.0 (inc) to 5.104.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Webpack versions from 5.49.0 to before 5.104.1 when the experiments.buildHttp feature is enabled. It allows an attacker to bypass the HTTP(S) resolver's allowedUris restriction by using specially crafted URLs that include userinfo (username:password@host). If the allowedUris enforcement relies on a simple string prefix check, an attacker can craft a URL that appears to be allowed but actually causes the network request to be sent to a different host after URL parsing.
This bypass leads to a policy or allow-list bypass, enabling build-time Server-Side Request Forgery (SSRF) behavior. This means outbound requests can be made from the build machine to internal-only endpoints depending on network access. Additionally, it allows untrusted content inclusion because the fetched response is treated as module source and bundled into the build.
The issue was fixed in Webpack version 5.104.1.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to perform Server-Side Request Forgery (SSRF) during the build process. This means that the build machine can be tricked into making unauthorized outbound requests to internal or restricted network endpoints.
Such unauthorized requests can expose internal services or data that are not meant to be accessible externally. Furthermore, because the fetched content is treated as module source and bundled, it can lead to the inclusion of untrusted or malicious code in your build output, potentially compromising the security and integrity of your application.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade webpack to version 5.104.1 or later where the issue has been patched.
Additionally, if you rely on allowedUris for URL validation, ensure that the validation logic does not rely solely on raw string prefix checks like uri.startsWith(allowed), as this can be bypassed.
Consider disabling the experiments.buildHttp feature if it is not required, to reduce exposure.