CVE-2025-68157 Overview
CVE-2025-68157 is a Server-Side Request Forgery (SSRF) vulnerability in Webpack, a popular JavaScript module bundler. The vulnerability exists in the HTTP(S) resolver component (HttpUriPlugin) when the experimental feature experiments.buildHttp is enabled. The flaw allows attackers to bypass URL allow-list restrictions through HTTP 30x redirects, potentially enabling unauthorized access to internal endpoints and inclusion of untrusted content in build outputs.
Critical Impact
Attackers can bypass configured URL allow-lists during the build process, enabling requests to internal-only endpoints from the build machine and potentially injecting untrusted code into bundled applications.
Affected Products
- Webpack versions 5.49.0 to 5.103.x
- Applications using experiments.buildHttp with HttpUriPlugin
- Build pipelines configured with URL allow-list restrictions
Discovery Timeline
- 2026-02-05 - CVE CVE-2025-68157 published to NVD
- 2026-02-05 - Last updated in NVD database
Technical Details for CVE-2025-68157
Vulnerability Analysis
This vulnerability is classified as CWE-918 (Server-Side Request Forgery). When developers configure Webpack with experiments.buildHttp enabled, they can specify allowedUris to restrict which external URLs the bundler can fetch modules from during the build process. This is intended as a security control to prevent the build from fetching arbitrary remote content.
However, the HttpUriPlugin component only validates the initial URL against the allowedUris configuration. When the initial request results in an HTTP 30x redirect response, the plugin follows the redirect without re-validating the destination URL against the allow-list. This creates a bypass condition where an attacker who controls a URL on the allow-list can redirect the build process to fetch content from arbitrary URLs.
The impact manifests in two primary ways: first, the build machine can be coerced into making HTTP(S) requests to internal network endpoints that would otherwise be inaccessible (build-time SSRF); second, the redirected content is processed as legitimate module source code and included in the final bundle, potentially introducing malicious or untrusted code into production applications.
Root Cause
The root cause of this vulnerability is insufficient validation in the redirect handling logic within Webpack's HttpUriPlugin. The allow-list enforcement is applied only at the initial request phase, treating redirect destinations as implicitly trusted. This design flaw violates the principle of complete mediation, where security checks should be applied to all access paths, including redirects.
The implementation assumes that if the initial URL passes the allow-list check, any subsequent URLs in a redirect chain are also authorized. This assumption is flawed because an attacker-controlled server on the allow-list can redirect to any arbitrary destination, effectively nullifying the allow-list protection.
Attack Vector
An attacker can exploit this vulnerability when they control or can influence a URL that appears on a target's configured allowedUris list. The attack proceeds through the network vector and requires the following conditions:
- The target application uses Webpack version 5.49.0 through 5.103.x
- The experiments.buildHttp feature is enabled in the Webpack configuration
- An attacker-controlled URL exists on the allowedUris allow-list (or the attacker can compromise a listed endpoint)
- The attacker configures their controlled endpoint to respond with an HTTP 30x redirect to a malicious destination
When the build process attempts to fetch a module from the attacker-controlled allow-listed URL, the server responds with a redirect to either an internal endpoint (for SSRF) or an external URL serving malicious JavaScript code (for untrusted content inclusion). The HttpUriPlugin follows this redirect without checking the destination against allowedUris, completing the bypass.
For detailed technical information, see the GitHub Security Advisory.
Detection Methods for CVE-2025-68157
Indicators of Compromise
- Unexpected HTTP redirect responses (30x status codes) during Webpack build operations to internal IP ranges or unauthorized external domains
- Build logs showing module fetches from URLs not explicitly configured in allowedUris
- Network traffic from build machines to internal endpoints that should not be accessed during builds
- Anomalous content appearing in bundled JavaScript that does not match expected source repositories
Detection Strategies
- Implement network monitoring on build infrastructure to detect outbound requests to unexpected internal endpoints or unauthorized external URLs
- Review Webpack build logs for module resolution paths that deviate from configured allow-lists
- Deploy egress filtering on build machines to detect and block requests to internal network ranges
- Use Software Composition Analysis (SCA) tools to identify Webpack installations using vulnerable versions between 5.49.0 and 5.103.x
Monitoring Recommendations
- Configure build pipeline logging to capture all HTTP(S) requests made during the build process, including redirect chains
- Implement alerting for build processes that make requests to internal network ranges (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
- Monitor for unexpected changes in bundle size or content that could indicate injected code from redirected sources
- Audit experiments.buildHttp usage across all projects and maintain an inventory of allow-listed URLs
How to Mitigate CVE-2025-68157
Immediate Actions Required
- Upgrade Webpack to version 5.104.0 or later, which includes the security patch for this vulnerability
- Audit all Webpack configurations for usage of experiments.buildHttp and document the business need for each instance
- Review and minimize the allowedUris configuration to include only strictly necessary and fully trusted URLs
- Implement network-level egress controls on build infrastructure to prevent access to internal endpoints
Patch Information
The Webpack team has addressed this vulnerability in version 5.104.0. The fix ensures that allowedUris validation is performed not only on the initial URL but also on all URLs encountered during HTTP redirect handling. Organizations should update their Webpack dependencies as soon as possible.
For additional details on the fix, refer to the GitHub Security Advisory.
Workarounds
- Disable experiments.buildHttp entirely if the feature is not strictly required for your build process
- Implement network segmentation to isolate build infrastructure from sensitive internal services
- Use a forward proxy for all outbound build requests that validates final destination URLs against an allow-list
- Pre-download and vendor all external dependencies rather than fetching them at build time
# Configuration example
# Update Webpack to the patched version
npm update [email protected]
# Or specify the minimum version in package.json
# "webpack": ">=5.104.0"
# If using yarn
yarn upgrade [email protected]
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
