Plataforma
nodejs
Componente
webpack
Corrigido em
5.49.1
5.104.1
CVE-2025-68458 is a Server-Side Request Forgery (SSRF) vulnerability affecting webpack versions prior to 5.104.1. This vulnerability allows attackers to bypass the allowedUris restriction when the experiments.buildHttp feature is enabled, potentially leading to unauthorized outbound requests during the build process. The vulnerability was published on 2026-02-05 and a fix is available in webpack 5.104.1.
The SSRF vulnerability in webpack arises when the experiments.buildHttp feature is enabled and the allowedUris configuration is improperly validated. Attackers can craft URLs containing userinfo (username:password@host) that bypass the intended prefix-based validation. This bypass occurs because the URL parsing process resolves the hostname after the initial validation, effectively allowing requests to arbitrary external hosts. This can expose sensitive internal resources, allow attackers to interact with internal services, or potentially be used for reconnaissance purposes. The impact is primarily limited to the build environment, but could lead to data exfiltration or compromise of build dependencies if the build process has access to sensitive information.
This vulnerability is not currently listed on the CISA KEV catalog. The CVSS score is LOW (3.7), indicating a relatively low probability of exploitation. Public proof-of-concept (PoC) code is not yet widely available, but the vulnerability's nature suggests it could be easily exploited once a PoC is released. The vulnerability was disclosed publicly on 2026-02-05.
Node.js projects utilizing webpack's experiments.buildHttp feature and relying on prefix-based allowedUris validation are at risk. This includes projects using webpack for bundling, asset management, and build automation, particularly those with custom build configurations or those integrating webpack into CI/CD pipelines.
• nodejs / supply-chain:
npm list webpack
# Check for versions < 5.104.1• generic web:
grep -r 'experiments.buildHttp: true' webpack.config.js
# Look for webpack configurations enabling the vulnerable featuredisclosure
Status do Exploit
EPSS
0.01% (percentil 1%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2025-68458 is to upgrade to webpack version 5.104.1 or later. If upgrading is not immediately feasible, consider disabling the experiments.buildHttp feature entirely, as this eliminates the vulnerability. As a temporary workaround, ensure that the allowedUris configuration strictly enforces full URL matching, rather than relying on simple prefix checks. Implement network segmentation to restrict outbound traffic from the build environment. Monitor build logs for suspicious outbound requests. After upgrading, confirm the fix by attempting to craft a malicious URL with userinfo and verifying that it is blocked by the allowedUris restriction.
Actualice webpack a la versión 5.104.1 o superior. Esto corrige la vulnerabilidad de SSRF que permite la inclusión de contenido no confiable durante la compilación. Para actualizar, ejecute `npm install webpack@latest` o `yarn upgrade webpack` en su proyecto.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-68458 is a Server-Side Request Forgery vulnerability in webpack versions prior to 5.104.1, allowing attackers to bypass URL restrictions during the build process.
You are affected if you are using webpack versions before 5.104.1 and have the experiments.buildHttp feature enabled with potentially flawed allowedUris validation.
Upgrade to webpack version 5.104.1 or later. If upgrading is not possible, disable experiments.buildHttp or implement strict URL matching in allowedUris.
There is no confirmed active exploitation at this time, but the vulnerability's nature suggests it could be easily exploited once a PoC is released.
Refer to the official webpack security advisory for CVE-2025-68458 on the webpack website or GitHub repository.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.