Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-68458

CVE-2025-68458: Webpack SSRF Vulnerability

CVE-2025-68458 is an SSRF flaw in Webpack's HttpUriPlugin that allows attackers to bypass allowedUris restrictions using crafted URLs. This post explains its impact, affected versions, and mitigation steps.

Published:

CVE-2025-68458 Overview

CVE-2025-68458 is a Server-Side Request Forgery (SSRF) vulnerability in Webpack, a widely-used JavaScript module bundler. The vulnerability exists in Webpack's HTTP(S) resolver (HttpUriPlugin) when the experimental experiments.buildHttp feature is enabled. Attackers can bypass the allowedUris security control by crafting malicious URLs that include userinfo components (username:password@host), allowing them to fetch resources from unauthorized hosts during the build process.

Critical Impact

This vulnerability enables build-time SSRF attacks where outbound requests from build machines can reach internal-only endpoints, and untrusted content can be bundled as module source code, potentially compromising application integrity.

Affected Products

  • Webpack versions 5.49.0 to 5.104.0
  • Applications using experiments.buildHttp with allowedUris restrictions
  • Build pipelines leveraging Webpack's HTTP(S) resource fetching capabilities

Discovery Timeline

  • 2026-02-05 - CVE CVE-2025-68458 published to NVD
  • 2026-02-05 - Last updated in NVD database

Technical Details for CVE-2025-68458

Vulnerability Analysis

The vulnerability stems from an improper URL validation mechanism in Webpack's HttpUriPlugin. When experiments.buildHttp is enabled, Webpack allows fetching remote modules over HTTP/HTTPS. The allowedUris configuration is intended to restrict which hosts can be contacted during the build process.

The security bypass occurs because the allowedUris enforcement relies on a raw string prefix check (e.g., uri.startsWith(allowed)). This approach fails to account for URL parsing semantics, particularly the userinfo component specified in RFC 3986. An attacker can construct a URL like https://allowed-domain.com@malicious-host.internal/payload that passes the string-based validation (it starts with the allowed domain) but after URL parsing, the actual network request is sent to malicious-host.internal.

This vulnerability is classified under CWE-918 (Server-Side Request Forgery), as it allows attackers to induce the server-side build process to make requests to arbitrary destinations.

Root Cause

The root cause is the discrepancy between how URLs are validated (string prefix matching) versus how they are parsed and resolved for network requests. The userinfo component (username:password@) is a legitimate part of URL syntax used for authentication, but when the host portion of a URL is mistakenly placed in the userinfo position, browsers and HTTP clients interpret the portion after @ as the actual target host.

The vulnerable code path performs validation on the raw URL string before parsing, allowing specially crafted URLs to bypass the allow-list while still resulting in requests to attacker-controlled endpoints.

Attack Vector

The attack requires network access and leverages the following conditions:

  1. Target build system has Webpack configured with experiments.buildHttp enabled
  2. The allowedUris configuration restricts allowed remote hosts
  3. Attacker can influence URLs processed during the build (e.g., through dependency configuration, import statements, or other input vectors)

An attacker crafts a URL such as https://trusted-cdn.example.com@attacker-internal-service/malicious-module.js. This URL passes the string prefix validation against trusted-cdn.example.com but the actual HTTP request targets attacker-internal-service. The response from the malicious endpoint is then bundled as legitimate module source code, enabling supply chain attacks or information exfiltration from internal networks during build time.

Detection Methods for CVE-2025-68458

Indicators of Compromise

  • Unusual outbound HTTP/HTTPS requests from build servers to internal or unexpected hosts
  • Build logs containing URLs with @ symbols in suspicious positions (e.g., domain names appearing before @)
  • Network traffic from build environments targeting internal infrastructure that should not be accessed
  • Module source code containing unexpected or obfuscated content from external sources

Detection Strategies

  • Monitor build server network egress for connections to internal-only endpoints or unexpected external hosts
  • Implement URL parsing validation in CI/CD pipelines to detect userinfo-based bypass attempts
  • Review Webpack configurations for experiments.buildHttp usage and audit allowedUris settings
  • Analyze build artifacts for suspicious or unexpected module inclusions

Monitoring Recommendations

  • Enable detailed logging for Webpack builds to capture all HTTP(S) resource fetch operations
  • Deploy network monitoring on build infrastructure to detect SSRF-style request patterns
  • Implement alerting for build processes attempting to access internal network ranges
  • Audit dependency configurations and import statements for unusual URL patterns

How to Mitigate CVE-2025-68458

Immediate Actions Required

  • Upgrade Webpack to version 5.104.1 or later where this vulnerability has been patched
  • Review all projects using experiments.buildHttp to assess exposure risk
  • Audit allowedUris configurations and verify they are being enforced correctly post-upgrade
  • Consider temporarily disabling experiments.buildHttp if patching is not immediately possible

Patch Information

The vulnerability has been addressed in Webpack version 5.104.1. Organizations should upgrade to this version or later to remediate the vulnerability. The patch implements proper URL parsing before validation, ensuring that the actual target host is verified against the allow-list rather than relying on string prefix matching.

For detailed information about the security fix, refer to the GitHub Security Advisory.

Workarounds

  • Disable experiments.buildHttp entirely if remote module fetching is not required
  • Implement network-level controls to restrict build server egress to only necessary external endpoints
  • Use a reverse proxy or firewall rules to validate and sanitize outbound requests from build infrastructure
  • Pin all remote dependencies to specific hashes and avoid dynamic URL resolution during builds
bash
# Configuration example - Disable experiments.buildHttp in webpack.config.js
# In your webpack configuration file, ensure buildHttp is disabled:
# module.exports = {
#   experiments: {
#     buildHttp: false  // Disable HTTP(S) resource fetching
#   }
# };

# Alternatively, upgrade Webpack to patched version
npm update webpack@^5.104.1

# Verify installed version
npm list webpack

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.