FKIE_CVE-2025-68458

Vulnerability from fkie_nvd - Published: 2026-02-05 23:15 - Updated: 2026-02-13 19:16
Severity ?
3.7 (Low) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N
Summary
Webpack is a module bundler. From version 5.49.0 to before 5.104.1, when experiments.buildHttp is enabled, webpack’s HTTP(S) resolver (HttpUriPlugin) can be bypassed to fetch resources from hosts outside allowedUris by using crafted URLs that include userinfo (username:password@host). If allowedUris enforcement relies on a raw string prefix check (e.g., uri.startsWith(allowed)), a URL that looks allow-listed can pass validation while the actual network request is sent to a different authority/host after URL parsing. This is a policy/allow-list bypass that enables build-time SSRF behavior (outbound requests from the build machine to internal-only endpoints, depending on network access) and untrusted content inclusion (the fetched response is treated as module source and bundled). This issue has been patched in version 5.104.1.
References
security-advisories@github.comhttps://github.com/webpack/webpack/security/advisories/GHSA-8fgc-7cc6-rx7xExploit, Vendor Advisory
Impacted products
Vendor Product Version
webpack.js webpack *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:webpack.js:webpack:*:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "0AEEDFC3-E074-45A4-8E77-E10FE80A8054",
              "versionEndExcluding": "5.104.1",
              "versionStartIncluding": "5.49.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Webpack is a module bundler. From version 5.49.0 to before 5.104.1, when experiments.buildHttp is enabled, webpack\u2019s HTTP(S) resolver (HttpUriPlugin) can be bypassed to fetch resources from hosts outside allowedUris by using crafted URLs that include userinfo (username:password@host). If allowedUris enforcement relies on a raw string prefix check (e.g., uri.startsWith(allowed)), a URL that looks allow-listed can pass validation while the actual network request is sent to a different authority/host after URL parsing. This is a policy/allow-list bypass that enables build-time SSRF behavior (outbound requests from the build machine to internal-only endpoints, depending on network access) and untrusted content inclusion (the fetched response is treated as module source and bundled). This issue has been patched in version 5.104.1."
    },
    {
      "lang": "es",
      "value": "Webpack es un empaquetador de m\u00f3dulos. Desde la versi\u00f3n 5.49.0 hasta antes de la 5.104.1, cuando experiments.buildHttp est\u00e1 habilitado, el resolvedor HTTP(S) de webpack (HttpUriPlugin) puede ser eludido para obtener recursos de hosts fuera de allowedUris utilizando URLs manipuladas que incluyen userinfo (username:password@host). Si la aplicaci\u00f3n de allowedUris se basa en una comprobaci\u00f3n de prefijo de cadena sin procesar (por ejemplo, uri.startsWith(allowed)), una URL que parece estar en la lista de permitidos puede pasar la validaci\u00f3n mientras que la solicitud de red real se env\u00eda a una autoridad/host diferente despu\u00e9s del an\u00e1lisis de la URL. Esto es una omisi\u00f3n de pol\u00edtica/lista de permitidos que habilita el comportamiento SSRF en tiempo de compilaci\u00f3n (solicitudes salientes desde la m\u00e1quina de compilaci\u00f3n a puntos finales solo internos, dependiendo del acceso a la red) y la inclusi\u00f3n de contenido no confiable (la respuesta obtenida se trata como fuente de m\u00f3dulo y se empaqueta). Este problema ha sido parcheado en la versi\u00f3n 5.104.1."
    }
  ],
  "id": "CVE-2025-68458",
  "lastModified": "2026-02-13T19:16:14.680",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 3.7,
          "baseSeverity": "LOW",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.2,
        "impactScore": 2.5,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-02-05T23:15:53.940",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/webpack/webpack/security/advisories/GHSA-8fgc-7cc6-rx7x"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-918"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.