5.49.1
5.104.0
CVE-2025-68157 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in webpack 5. This flaw arises when the experiments.buildHttp feature is enabled, allowing bypass of URI allow-lists through HTTP 30x redirects. Exploitation can lead to build-time SSRF attacks, potentially exposing internal endpoints, and the inclusion of untrusted content within build outputs. The vulnerability affects versions of webpack prior to 5.104.0 and a fix is available.
The SSRF vulnerability in webpack allows an attacker to craft import statements that initially appear to be restricted to a trusted allow-list. However, due to the lack of re-validation of allowedUris after HTTP 30x redirects, the webpack build process can be tricked into fetching resources from arbitrary HTTP(S) URLs outside of the intended allow-list. This can have significant consequences. An attacker could potentially access internal-only endpoints that are not directly exposed to the internet, depending on the build machine's network configuration. Furthermore, the fetched content can be included in the final build output, potentially introducing malicious code or sensitive data into the application. This is particularly concerning in environments where webpack is used to generate production-ready bundles.
CVE-2025-68157 has a CVSS score of 3.7 (LOW). No public Proof-of-Concept (POC) exploits have been publicly disclosed at the time of writing. The vulnerability was published on 2026-02-05. Its impact is primarily limited to the build environment, and exploitation requires control over the webpack configuration or the ability to inject malicious import statements. The EPSS score is pending evaluation.
Exploit Status
EPSS
0.01% (1% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-68157 is to upgrade to webpack version 5.104.0 or later, which includes a fix for the URI re-validation issue. If upgrading is not immediately feasible, consider disabling the experiments.buildHttp feature entirely, as this eliminates the attack surface. As a temporary workaround, carefully review and restrict the allowedUris configuration, ensuring that it is as specific as possible and includes no overly broad patterns. Implement strict network segmentation to limit the build machine's access to internal resources. Consider using a Web Application Firewall (WAF) or proxy to filter outbound HTTP(S) requests from the build process, although this is not a substitute for patching the vulnerability.
Actualice webpack a la versión 5.104.0 o superior. Esto corrige la vulnerabilidad de omisión de la lista de permitidos al seguir redirecciones HTTP. La actualización previene posibles ataques SSRF y la inclusión de contenido no confiable en las salidas de compilación.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-68157 is a Server-Side Request Forgery (SSRF) vulnerability in webpack 5 that allows attackers to bypass URI allow-lists through HTTP 30x redirects, potentially leading to build-time SSRF and untrusted content inclusion.
You are affected if you are using webpack 5 prior to version 5.104.0 and have the experiments.buildHttp feature enabled. Check your webpack version and configuration to determine your risk.
Upgrade to webpack version 5.104.0 or later. If upgrading is not possible, disable the experiments.buildHttp feature or carefully restrict the allowedUris configuration.
No public Proof-of-Concept (POC) exploits have been publicly disclosed at this time, but the vulnerability's potential impact warrants proactive mitigation.
Refer to the webpack security advisories and release notes on the official webpack website: [https://webpack.js.org/security/](https://webpack.js.org/security/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.