CVE-2025-68458

Name of the Vulnerable Software and Affected Versions Webpack versions 5.49.0 through 5.104.0

Description Webpack’s HTTP(S) resolver (HttpUriPlugin) can be bypassed when the experiments.buildHttp feature is enabled. This bypass allows fetching resources from hosts outside of the allowedUris configuration by using crafted URLs that include userinfo (username:password@host). If the allowedUris enforcement relies on a raw string prefix check, a URL appearing to be allow-listed can pass validation while the actual network request is sent to a different authority/host after URL parsing. This is a policy/allow-list bypass that enables build-time Server-Side Request Forgery (SSRF) behavior and untrusted content inclusion. The fetched response is treated as module source and bundled into the final output. The root cause is that allowedUris validation can be performed on the raw URI string, while the actual request destination is determined later by parsing the URL, which interprets the authority as the part after the '@' symbol. This issue can lead to outbound requests from the build machine to internal-only endpoints, depending on network access, and the inclusion of untrusted content.

Recommendations Update to Webpack version 5.104.1 or later.