平台
nodejs
组件
webpack
修复版本
5.49.1
5.104.0
CVE-2025-68157 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in webpack 5. This flaw arises when the experiments.buildHttp feature is enabled, allowing bypass of URI allow-lists through HTTP 30x redirects. Exploitation can lead to build-time SSRF attacks, potentially exposing internal endpoints, and the inclusion of untrusted content within build outputs. The vulnerability affects versions of webpack prior to 5.104.0 and a fix is available.
The SSRF vulnerability in webpack allows an attacker to craft import statements that initially appear to be restricted to a trusted allow-list. However, due to the lack of re-validation of allowedUris after HTTP 30x redirects, the webpack build process can be tricked into fetching resources from arbitrary HTTP(S) URLs outside of the intended allow-list. This can have significant consequences. An attacker could potentially access internal-only endpoints that are not directly exposed to the internet, depending on the build machine's network configuration. Furthermore, the fetched content can be included in the final build output, potentially introducing malicious code or sensitive data into the application. This is particularly concerning in environments where webpack is used to generate production-ready bundles.
CVE-2025-68157 has a CVSS score of 3.7 (LOW). No public Proof-of-Concept (POC) exploits have been publicly disclosed at the time of writing. The vulnerability was published on 2026-02-05. Its impact is primarily limited to the build environment, and exploitation requires control over the webpack configuration or the ability to inject malicious import statements. The EPSS score is pending evaluation.
漏洞利用状态
EPSS
0.01% (1% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-68157 is to upgrade to webpack version 5.104.0 or later, which includes a fix for the URI re-validation issue. If upgrading is not immediately feasible, consider disabling the experiments.buildHttp feature entirely, as this eliminates the attack surface. As a temporary workaround, carefully review and restrict the allowedUris configuration, ensuring that it is as specific as possible and includes no overly broad patterns. Implement strict network segmentation to limit the build machine's access to internal resources. Consider using a Web Application Firewall (WAF) or proxy to filter outbound HTTP(S) requests from the build process, although this is not a substitute for patching the vulnerability.
升级 webpack 到 5.104.0 或更高版本。 这修复了跟踪 HTTP 重定向时允许列表绕过的漏洞。 升级可以防止潜在的 SSRF 攻击和构建输出中包含不受信任的内容。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-68157 is a Server-Side Request Forgery (SSRF) vulnerability in webpack 5 that allows attackers to bypass URI allow-lists through HTTP 30x redirects, potentially leading to build-time SSRF and untrusted content inclusion.
You are affected if you are using webpack 5 prior to version 5.104.0 and have the experiments.buildHttp feature enabled. Check your webpack version and configuration to determine your risk.
Upgrade to webpack version 5.104.0 or later. If upgrading is not possible, disable the experiments.buildHttp feature or carefully restrict the allowedUris configuration.
No public Proof-of-Concept (POC) exploits have been publicly disclosed at this time, but the vulnerability's potential impact warrants proactive mitigation.
Refer to the webpack security advisories and release notes on the official webpack website: [https://webpack.js.org/security/](https://webpack.js.org/security/)
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。