VDB
CVE-2025-68157
CVE-2025-68157
PUBLISHED
CVSS 3.700000047683716 LOW
Webpack is a module bundler. From version 5.49.0 to before 5.104.0, when experiments.buildHttp is enabled, webpack’s HTTP(S) resolver (HttpUriPlugin) enforces allowedUris only for the initial URL, but does not re-validate allowedUris after following HTTP 30x redirects. As a result, an import that appears restricted to a trusted allow-list can be redirected to HTTP(S) URLs outside the allow-list. This is a policy/allow-list bypass that enables build-time SSRF behavior (requests from the build machine to internal-only endpoints, depending on network access) and untrusted content inclusion in build outputs (redirected content is treated as module source and bundled). This issue has been patched in version 5.104.0.
EPSS 0.01% · 1.5th percentile
Risk Scores
CVSS v3.1
3.700000047683716
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N
EPSS Score
0.01%
1.5th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| webpack.js | webpack | 5.49.0 |
| webpack | webpack | >= 5.49.0, < 5.104.0 |
| npm | webpack | 5.49.0 |
Timeline
- Feb 5, 2026 CVE Published
- Feb 6, 2026 CVE Updated
- Feb 6, 2026 EPSS Score
- Feb 7, 2026 Security Advisory
- Feb 8, 2026 EPSS Score
- Feb 10, 2026 EPSS Score
- Feb 12, 2026 EPSS Score
- Feb 15, 2026 EPSS Score
- Feb 17, 2026 EPSS Score
- Feb 19, 2026 EPSS Score
- Feb 21, 2026 EPSS Score
- Feb 23, 2026 EPSS Score
References
- https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37405 advisory
- https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37404 advisory
- https://github.com/webpack/webpack/security/advisories/GHSA-38r7-794h-5758 url
- https://nvd.nist.gov/vuln/detail/CVE-2025-68157 advisory
- https://github.com/webpack/webpack package