CVE-2025-68458
Webpack is a module bundler. From version 5.49.0 to before 5.104.1, when experiments.buildHttp is enabled, webpack’s HTTP(S) resolver (HttpUriPlugin) can be bypassed to fetch resources from hosts outside allowedUris by using crafted URLs that include userinfo (username:password@host). If allowedUris enforcement relies on a raw string prefix check (e.g., uri.startsWith(allowed)), a URL that looks allow-listed can pass validation while the actual network request is sent to a different authority/host after URL parsing. This is a policy/allow-list bypass that enables build-time SSRF behavior (outbound requests from the build machine to internal-only endpoints, depending on network access) and untrusted content inclusion (the fetched response is treated as module source and bundled). This issue has been patched in version 5.104.1.
EPSS 0.01% · 1.5th percentile
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| webpack | webpack | * |
| webpack.js | webpack | 5.49.0 |
| npm | webpack | 5.49.0 |
Timeline
- Feb 5, 2026 CVE Published
- Feb 6, 2026 CVE Updated
- Feb 6, 2026 EPSS Score
- Feb 7, 2026 Security Advisory
- Feb 8, 2026 EPSS Score
- Feb 10, 2026 EPSS Score
- Feb 12, 2026 EPSS Score
- Feb 15, 2026 EPSS Score
- Feb 17, 2026 EPSS Score
- Feb 19, 2026 EPSS Score
- Feb 21, 2026 EPSS Score
- Feb 23, 2026 EPSS Score
References
- https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37405 advisory
- https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37404 advisory
- https://github.com/webpack/webpack/security/advisories/GHSA-8fgc-7cc6-rx7x url
- https://nvd.nist.gov/vuln/detail/CVE-2025-68458 advisory
- https://github.com/webpack/webpack package