CVE-2025-68458Server-Side Request Forgery in Webpack

CWE-918Server-Side Request Forgery7 documents6 sources
Severity
3.7LOWNVD
EPSS
0.0%
top 98.63%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Webpack.js WebpackDebian Node-webpackWebpack
Timeline
PublishedFeb 5

Description

Webpack is a module bundler. From version 5.49.0 to before 5.104.1, when experiments.buildHttp is enabled, webpack’s HTTP(S) resolver (HttpUriPlugin) can be bypassed to fetch resources from hosts outside allowedUris by using crafted URLs that include userinfo (username:password@host). If allowedUris enforcement relies on a raw string prefix check (e.g., uri.startsWith(allowed)), a URL that looks allow-listed can pass validation while the actual network request is sent to a different authority/ho

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:NExploitability: 1.2 | Impact: 2.5

Affected Packages4 packages

npmwebpack/webpack5.49.05.104.1
NVDwebpack.js/webpack5.49.05.104.1
debiandebian/node-webpack< node-webpack 5.105.4+dfsg1+~cs15.13.23-2 (forky)
CVEListV5webpack/webpack>= 5.49.0, < 5.104.1

🔴Vulnerability Details

3
OSV
CVE-2025-68458: Webpack is a module bundler2026-02-05
OSV
webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior2026-02-05
GHSA
webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior2026-02-05

📋Vendor Advisories

2
Red Hat
webpack: webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior2026-02-05
Debian
CVE-2025-68458: node-webpack - Webpack is a module bundler. From version 5.49.0 to before 5.104.1, when experim...2025

🕵️Threat Intelligence

1
Wiz
CVE-2025-68458 Impact, Exploitability, and Mitigation Steps | Wiz