1576 matches found
CVE-2025-68157
Webpack vulnerability CVE-2025-68157 affects the HttpUriPlugin when experiments.buildHttp is enabled. From 5.49.0 through versions before 5.104.0, allowedUris are validated only for the initial URL; redirects (HTTP 30x) are not re-validated, allowing an import restricted to a trusted allow-list t...
CVE-2025-68157
Webpack is a module bundler. From version 5.49.0 to before 5.104.0, when experiments.buildHttp is enabled, webpack’s HTTPS resolver HttpUriPlugin enforces allowedUris only for the initial URL, but does not re-validate allowedUris after following HTTP 30x redirects. As a result, an import that...
CVE-2025-68157 webpack buildHttp HttpUriPlugin allowedUris bypass via HTTP redirects
Webpack is a module bundler. From version 5.49.0 to before 5.104.0, when experiments.buildHttp is enabled, webpack’s HTTPS resolver HttpUriPlugin enforces allowedUris only for the initial URL, but does not re-validate allowedUris after following HTTP 30x redirects. As a result, an import that...
CVE-2025-68458 webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior
Webpack is a module bundler. From version 5.49.0 to before 5.104.1, when experiments.buildHttp is enabled, webpack’s HTTPS resolver HttpUriPlugin can be bypassed to fetch resources from hosts outside allowedUris by using crafted URLs that include userinfo username:password@host. If allowedUris...
CVE-2025-68458
Webpack is a module bundler. From version 5.49.0 to before 5.104.1, when experiments.buildHttp is enabled, webpack’s HTTPS resolver HttpUriPlugin can be bypassed to fetch resources from hosts outside allowedUris by using crafted URLs that include userinfo username:password@host. If allowedUris...
CVE-2025-68458 webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior
Webpack is a module bundler. From version 5.49.0 to before 5.104.1, when experiments.buildHttp is enabled, webpack’s HTTPS resolver HttpUriPlugin can be bypassed to fetch resources from hosts outside allowedUris by using crafted URLs that include userinfo username:password@host. If allowedUris...
EUVD-2025-206877
Webpack is a module bundler. From version 5.49.0 to before 5.104.1, when experiments.buildHttp is enabled, webpack’s HTTPS resolver HttpUriPlugin can be bypassed to fetch resources from hosts outside allowedUris by using crafted URLs that include userinfo username:password@host. If allowedUris...
CVE-2025-68458
Webpack is a module bundler. From version 5.49.0 to before 5.104.1, when experiments.buildHttp is enabled, webpack’s HTTPS resolver HttpUriPlugin can be bypassed to fetch resources from hosts outside allowedUris by using crafted URLs that include userinfo username:password@host. If allowedUris...
CVE-2025-68458
Webpack CVE-2025-68458 affects Webpack’s HTTP(S) resolver (HttpUriPlugin) when experiments.buildHttp is enabled. A crafted URL containing userinfo (username:password@host) can bypass allowedUris checks and cause the build process to request resources from internal or non-whitelisted hosts, enabli...
CVE-2025-68458 webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior
Webpack is a module bundler. From version 5.49.0 to before 5.104.1, when experiments.buildHttp is enabled, webpack’s HTTPS resolver HttpUriPlugin can be bypassed to fetch resources from hosts outside allowedUris by using crafted URLs that include userinfo username:password@host. If allowedUris...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the HttpUriPlugin component. An attacker can cause unauthorized outbound requests to internal or otherwise restricted endpoints and include untrusted content in build outputs by crafting URLs with...
GHSA-8FGC-7CC6-RX7X webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior
Summary When experiments.buildHttp is enabled, webpack’s HTTPS resolver HttpUriPlugin can be bypassed to fetch resources from hosts outside allowedUris by using crafted URLs that include userinfo username:password@host. If allowedUris enforcement relies on a raw string prefix check e.g.,...
webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior
Summary When experiments.buildHttp is enabled, webpack’s HTTPS resolver HttpUriPlugin can be bypassed to fetch resources from hosts outside allowedUris by using crafted URLs that include userinfo username:password@host. If allowedUris enforcement relies on a raw string prefix check e.g.,...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the HttpUriPlugin component when HTTP redirects are followed without re-validating the allowed URIs. An attacker can cause unauthorized network requests to internal services and inclusion of untruste...
webpack buildHttp HttpUriPlugin allowedUris bypass via HTTP redirects → SSRF + cache persistence
Summary When experiments.buildHttp is enabled, webpack’s HTTPS resolver HttpUriPlugin enforces allowedUris only for the initial URL, but does not re-validate allowedUris after following HTTP 30x redirects. As a result, an import that appears restricted to a trusted allow-list can be redirected to...
CVE-2025-68157
creationtimestamp| type| source ---|---|--- 2026-02-05 17:40:10+00:00| published-proof-of-concept| https://github.com/webpack/webpack/security/advisories/GHSA-38r7-794h-5758...
CVE-2025-68458
creationtimestamp| type| source ---|---|--- 2026-02-05 17:34:57+00:00| published-proof-of-concept| https://github.com/webpack/webpack/security/advisories/GHSA-8fgc-7cc6-rx7x...
Webpack 代码问题漏洞
Webpack is a module bundler developed by Webpack contributors. Its primary purpose is to bundle JavaScript files for use in browsers. However, it can also convert, bundle, or package almost any resource or asset. Versions of Webpack from 5.49.0 to 5.104.1 contained code vulnerabilities. These...
PT-2026-6641
Name of the Vulnerable Software and Affected Versions Webpack versions 5.49.0 through 5.104.0 Description Webpack’s HTTPS resolver HttpUriPlugin can be bypassed when the experiments.buildHttp feature is enabled. This bypass allows fetching resources from hosts outside of the allowedUris...
Webpack 代码问题漏洞
Webpack is a module bundler developed by Webpack contributors. Its primary purpose is to bundle JavaScript files for use in browsers. However, it can also convert, bundle, or package almost any resource or asset. Versions of Webpack from 5.49.0 to 5.104.0 contained code vulnerabilities. These...