Plattform
nodejs
Komponente
webpack
Behoben in
5.49.1
5.104.1
CVE-2025-68458 describes a Server-Side Request Forgery (SSRF) vulnerability within webpack, specifically when the experiments.buildHttp feature is enabled. An attacker can bypass the intended restrictions of allowedUris by crafting malicious URLs containing userinfo (username:password@host), potentially leading to unauthorized outbound requests during the build process. This vulnerability affects webpack versions prior to 5.104.1 and is resolved with an upgrade.
The SSRF vulnerability in webpack allows an attacker to initiate outbound HTTP(S) requests from the build server to arbitrary destinations. This can be exploited to access internal resources, exfiltrate sensitive data, or potentially interact with other systems within the network. The bypass occurs because the URL validation logic relies on a raw string prefix check, which can be circumvented by crafting URLs that appear to be within the allowed scope but ultimately resolve to a different host. This is particularly concerning in CI/CD pipelines where webpack is used to build applications, as it could allow an attacker to compromise the build environment and inject malicious code into the final product. The impact is amplified if the build server has access to sensitive internal resources or credentials.
This vulnerability is not currently listed on KEV, and the EPSS score is likely low given the requirement to enable experiments.buildHttp. Public proof-of-concept exploits are not widely available, but the bypass technique is well-understood. The vulnerability was publicly disclosed on 2026-02-05. Active exploitation is not currently confirmed, but the ease of bypass makes it a potential target for automated scanning and exploitation.
Node.js projects utilizing webpack's experiments.buildHttp feature and relying on prefix-based allowedUris validation are at risk. This includes projects using webpack for bundling, asset management, and build automation, particularly those with custom build configurations or those integrating webpack into CI/CD pipelines.
• nodejs / supply-chain:
npm list webpack
# Check for versions < 5.104.1• generic web:
grep -r 'experiments.buildHttp: true' webpack.config.js
# Look for webpack configurations enabling the vulnerable featuredisclosure
Exploit-Status
EPSS
0.01% (1% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-68458 is to upgrade webpack to version 5.104.1 or later. If upgrading is not immediately feasible, consider disabling the experiments.buildHttp feature entirely, as this removes the affected functionality. As a temporary workaround, implement stricter URL validation on the build server to prevent the use of userinfo in URLs. This could involve using a more robust URL parsing library that correctly handles userinfo and ensures that the final resolved host matches the allowed URI. Monitor build logs for unusual outbound requests and implement network segmentation to limit the build server's access to sensitive resources. After upgrading, confirm the fix by attempting to trigger the SSRF vulnerability with a crafted URL containing userinfo and verifying that the request is blocked.
Actualice webpack a la versión 5.104.1 o superior. Esto corrige la vulnerabilidad de SSRF que permite la inclusión de contenido no confiable durante la compilación. Para actualizar, ejecute `npm install webpack@latest` o `yarn upgrade webpack` en su proyecto.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-68458 is a Server-Side Request Forgery vulnerability in webpack versions prior to 5.104.1, allowing attackers to bypass URL restrictions during the build process.
You are affected if you are using webpack versions before 5.104.1 and have the experiments.buildHttp feature enabled with potentially flawed allowedUris validation.
Upgrade to webpack version 5.104.1 or later. If upgrading is not possible, disable experiments.buildHttp or implement strict URL matching in allowedUris.
There is no confirmed active exploitation at this time, but the vulnerability's nature suggests it could be easily exploited once a PoC is released.
Refer to the official webpack security advisory for CVE-2025-68458 on the webpack website or GitHub repository.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.