CVE-2025-68157

Name of the Vulnerable Software and Affected Versions Webpack versions 5.49.0 through 5.103.9

Description Webpack’s HTTP(S) resolver (HttpUriPlugin) does not re-validate allowed URLs after following HTTP 30x redirects when the experiments.buildHttp feature is enabled. This allows an import that appears restricted to a trusted allow-list to be redirected to HTTP(S) URLs outside the allow-list, resulting in a policy/allow-list bypass. This can lead to build-time Server-Side Request Forgery (SSRF) behavior, where requests are made from the build machine to internal endpoints, and the inclusion of untrusted content in build outputs. Redirected content is treated as module source and bundled. The issue allows for the persistence of internal responses in the buildHttp cache. The vulnerability enables an attacker who can influence imported URLs to trigger network requests to internal services and potentially bundle attacker-controlled JavaScript if the redirect target is attacker-controlled.

Recommendations Update to Webpack version 5.104.0 or later.