CVE-2025-68157Server-Side Request Forgery in Webpack

CWE-918Server-Side Request Forgery7 documents6 sources
Severity
3.7LOWNVD
EPSS
0.0%
top 98.63%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Webpack.js WebpackDebian Node-webpackWebpack
Timeline
PublishedFeb 5

Description

Webpack is a module bundler. From version 5.49.0 to before 5.104.0, when experiments.buildHttp is enabled, webpack’s HTTP(S) resolver (HttpUriPlugin) enforces allowedUris only for the initial URL, but does not re-validate allowedUris after following HTTP 30x redirects. As a result, an import that appears restricted to a trusted allow-list can be redirected to HTTP(S) URLs outside the allow-list. This is a policy/allow-list bypass that enables build-time SSRF behavior (requests from the build mac

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:NExploitability: 1.2 | Impact: 2.5

Affected Packages4 packages

npmwebpack/webpack5.49.05.104.0
NVDwebpack.js/webpack5.49.05.104.0
debiandebian/node-webpack< node-webpack 5.105.4+dfsg1+~cs15.13.23-2 (forky)
CVEListV5webpack/webpack>= 5.49.0, < 5.104.0

🔴Vulnerability Details

3
OSV
CVE-2025-68157: Webpack is a module bundler2026-02-05
OSV
webpack buildHttp HttpUriPlugin allowedUris bypass via HTTP redirects → SSRF + cache persistence2026-02-05
GHSA
webpack buildHttp HttpUriPlugin allowedUris bypass via HTTP redirects → SSRF + cache persistence2026-02-05

📋Vendor Advisories

2
Red Hat
webpack: webpack buildHttp HttpUriPlugin allowedUris bypass via HTTP redirects2026-02-05
Debian
CVE-2025-68157: node-webpack - Webpack is a module bundler. From version 5.49.0 to before 5.104.0, when experim...2025

🕵️Threat Intelligence

1
Wiz
CVE-2025-68157 Impact, Exploitability, and Mitigation Steps | Wiz