Platform
nodejs
Component
webpack
Fixed in
5.49.1
5.104.1
CVE-2025-68458 is a Server-Side Request Forgery (SSRF) vulnerability affecting webpack versions prior to 5.104.1. This vulnerability allows attackers to bypass the allowedUris restriction when the experiments.buildHttp feature is enabled, potentially leading to unauthorized outbound requests during the build process. The vulnerability was published on 2026-02-05 and a fix is available in webpack 5.104.1.
The SSRF vulnerability in webpack arises when the experiments.buildHttp feature is enabled and the allowedUris configuration is improperly validated. Attackers can craft URLs containing userinfo (username:password@host) that bypass the intended prefix-based validation. This bypass occurs because the URL parsing process resolves the hostname after the initial validation, effectively allowing requests to arbitrary external hosts. This can expose sensitive internal resources, allow attackers to interact with internal services, or potentially be used for reconnaissance purposes. The impact is primarily limited to the build environment, but could lead to data exfiltration or compromise of build dependencies if the build process has access to sensitive information.
This vulnerability is not currently listed on the CISA KEV catalog. The CVSS score is LOW (3.7), indicating a relatively low probability of exploitation. Public proof-of-concept (PoC) code is not yet widely available, but the vulnerability's nature suggests it could be easily exploited once a PoC is released. The vulnerability was disclosed publicly on 2026-02-05.
Exploit Status
EPSS
0.01% (1% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-68458 is to upgrade to webpack version 5.104.1 or later. If upgrading is not immediately feasible, consider disabling the experiments.buildHttp feature entirely, as this eliminates the vulnerability. As a temporary workaround, ensure that the allowedUris configuration strictly enforces full URL matching, rather than relying on simple prefix checks. Implement network segmentation to restrict outbound traffic from the build environment. Monitor build logs for suspicious outbound requests. After upgrading, confirm the fix by attempting to craft a malicious URL with userinfo and verifying that it is blocked by the allowedUris restriction.
Update webpack to version 5.104.1 or higher. This fixes the SSRF vulnerability that allows untrusted content inclusion during the build. To update, run `npm install webpack@latest` or `yarn upgrade webpack` in your project.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-68458 is a Server-Side Request Forgery vulnerability in webpack versions prior to 5.104.1, allowing attackers to bypass URL restrictions during the build process.
You are affected if you are using webpack versions before 5.104.1 and have the experiments.buildHttp feature enabled with potentially flawed allowedUris validation.
Upgrade to webpack version 5.104.1 or later. If upgrading is not possible, disable experiments.buildHttp or implement strict URL matching in allowedUris.
There is no confirmed active exploitation at this time, but the vulnerability's nature suggests it could be easily exploited once a PoC is released.
Refer to the official webpack security advisory for CVE-2025-68458 on the webpack website or GitHub repository.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.