CVE-2025-68458 Overview
CVE-2025-68458 is a Server-Side Request Forgery (SSRF) vulnerability in Webpack, a widely-used JavaScript module bundler. The vulnerability exists in Webpack's HTTP(S) resolver (HttpUriPlugin) when the experimental experiments.buildHttp feature is enabled. Attackers can bypass the allowedUris security control by crafting malicious URLs that include userinfo components (username:password@host), allowing them to fetch resources from unauthorized hosts during the build process.
Critical Impact
This vulnerability enables build-time SSRF attacks where outbound requests from build machines can reach internal-only endpoints, and untrusted content can be bundled as module source code, potentially compromising application integrity.
Affected Products
- Webpack versions 5.49.0 to 5.104.0
- Applications using experiments.buildHttp with allowedUris restrictions
- Build pipelines leveraging Webpack's HTTP(S) resource fetching capabilities
Discovery Timeline
- 2026-02-05 - CVE CVE-2025-68458 published to NVD
- 2026-02-05 - Last updated in NVD database
Technical Details for CVE-2025-68458
Vulnerability Analysis
The vulnerability stems from an improper URL validation mechanism in Webpack's HttpUriPlugin. When experiments.buildHttp is enabled, Webpack allows fetching remote modules over HTTP/HTTPS. The allowedUris configuration is intended to restrict which hosts can be contacted during the build process.
The security bypass occurs because the allowedUris enforcement relies on a raw string prefix check (e.g., uri.startsWith(allowed)). This approach fails to account for URL parsing semantics, particularly the userinfo component specified in RFC 3986. An attacker can construct a URL like https://[email protected]/payload that passes the string-based validation (it starts with the allowed domain) but after URL parsing, the actual network request is sent to malicious-host.internal.
This vulnerability is classified under CWE-918 (Server-Side Request Forgery), as it allows attackers to induce the server-side build process to make requests to arbitrary destinations.
Root Cause
The root cause is the discrepancy between how URLs are validated (string prefix matching) versus how they are parsed and resolved for network requests. The userinfo component (username:password@) is a legitimate part of URL syntax used for authentication, but when the host portion of a URL is mistakenly placed in the userinfo position, browsers and HTTP clients interpret the portion after @ as the actual target host.
The vulnerable code path performs validation on the raw URL string before parsing, allowing specially crafted URLs to bypass the allow-list while still resulting in requests to attacker-controlled endpoints.
Attack Vector
The attack requires network access and leverages the following conditions:
- Target build system has Webpack configured with experiments.buildHttp enabled
- The allowedUris configuration restricts allowed remote hosts
- Attacker can influence URLs processed during the build (e.g., through dependency configuration, import statements, or other input vectors)
An attacker crafts a URL such as https://trusted-cdn.example.com@attacker-internal-service/malicious-module.js. This URL passes the string prefix validation against trusted-cdn.example.com but the actual HTTP request targets attacker-internal-service. The response from the malicious endpoint is then bundled as legitimate module source code, enabling supply chain attacks or information exfiltration from internal networks during build time.
Detection Methods for CVE-2025-68458
Indicators of Compromise
- Unusual outbound HTTP/HTTPS requests from build servers to internal or unexpected hosts
- Build logs containing URLs with @ symbols in suspicious positions (e.g., domain names appearing before @)
- Network traffic from build environments targeting internal infrastructure that should not be accessed
- Module source code containing unexpected or obfuscated content from external sources
Detection Strategies
- Monitor build server network egress for connections to internal-only endpoints or unexpected external hosts
- Implement URL parsing validation in CI/CD pipelines to detect userinfo-based bypass attempts
- Review Webpack configurations for experiments.buildHttp usage and audit allowedUris settings
- Analyze build artifacts for suspicious or unexpected module inclusions
Monitoring Recommendations
- Enable detailed logging for Webpack builds to capture all HTTP(S) resource fetch operations
- Deploy network monitoring on build infrastructure to detect SSRF-style request patterns
- Implement alerting for build processes attempting to access internal network ranges
- Audit dependency configurations and import statements for unusual URL patterns
How to Mitigate CVE-2025-68458
Immediate Actions Required
- Upgrade Webpack to version 5.104.1 or later where this vulnerability has been patched
- Review all projects using experiments.buildHttp to assess exposure risk
- Audit allowedUris configurations and verify they are being enforced correctly post-upgrade
- Consider temporarily disabling experiments.buildHttp if patching is not immediately possible
Patch Information
The vulnerability has been addressed in Webpack version 5.104.1. Organizations should upgrade to this version or later to remediate the vulnerability. The patch implements proper URL parsing before validation, ensuring that the actual target host is verified against the allow-list rather than relying on string prefix matching.
For detailed information about the security fix, refer to the GitHub Security Advisory.
Workarounds
- Disable experiments.buildHttp entirely if remote module fetching is not required
- Implement network-level controls to restrict build server egress to only necessary external endpoints
- Use a reverse proxy or firewall rules to validate and sanitize outbound requests from build infrastructure
- Pin all remote dependencies to specific hashes and avoid dynamic URL resolution during builds
# Configuration example - Disable experiments.buildHttp in webpack.config.js
# In your webpack configuration file, ensure buildHttp is disabled:
# module.exports = {
# experiments: {
# buildHttp: false // Disable HTTP(S) resource fetching
# }
# };
# Alternatively, upgrade Webpack to patched version
npm update webpack@^5.104.1
# Verify installed version
npm list webpack
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
