CVE-2025-68458
📋 TL;DR
This CVE describes a security bypass vulnerability in Webpack's HTTP(S) resolver when the experiments.buildHttp feature is enabled. Attackers can craft URLs with userinfo components to bypass allowedUris restrictions, enabling Server-Side Request Forgery (SSRF) attacks during build time and inclusion of untrusted content in bundled modules. This affects Webpack users with experiments.buildHttp enabled who rely on string prefix checks for URL validation.
💻 Affected Systems
- webpack
📦 What is this software?
Webpack by Webpack.js
⚠️ Risk & Real-World Impact
Worst Case
Attackers can make outbound requests from the build machine to internal-only endpoints, potentially accessing sensitive internal services, and include malicious content in the final bundled application.
Likely Case
Build-time SSRF allowing attackers to probe internal networks and fetch unauthorized resources that get bundled into the application.
If Mitigated
Limited impact if allowedUris uses proper URL parsing instead of string prefix checks, or if experiments.buildHttp is disabled.
🎯 Exploit Status
Exploitation requires control over the URL input to Webpack's HTTP resolver, which could come from package.json dependencies, configuration files, or build scripts.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.104.1
Vendor Advisory: https://github.com/webpack/webpack/security/advisories/GHSA-8fgc-7cc6-rx7x
Restart Required: No
Instructions:
1. Update webpack to version 5.104.1 or later using npm: npm update webpack@^5.104.1 or yarn: yarn upgrade webpack@^5.104.1. 2. Verify the update by checking package.json and running webpack --version.
🔧 Temporary Workarounds
Disable experiments.buildHttp
allDisable the vulnerable feature if not required for your build process
In webpack.config.js, set experiments.buildHttp to false or remove the experiments.buildHttp configuration entirely
Implement proper URL validation
allReplace string prefix checks with proper URL parsing and hostname validation
Implement validation using URL parsing libraries to extract and validate hostnames instead of uri.startsWith() checks
🧯 If You Can't Patch
- Disable experiments.buildHttp feature in webpack configuration
- Implement network-level restrictions to limit outbound HTTP requests from build machines
🔍 How to Verify
Check if Vulnerable:
Check if webpack version is between 5.49.0 and 5.104.0, and if experiments.buildHttp is enabled in configurationCheck Version:
webpack --version or npx webpack --versionVerify Fix Applied:
Verify webpack version is 5.104.1 or higher using webpack --version command📡 Detection & Monitoring
Log Indicators:
- Unusual outbound HTTP requests from build processes
- Failed URL validation attempts with crafted userinfo URLs
Network Indicators:
- HTTP requests from build machines to unexpected internal endpoints
- Requests with userinfo components in URLs
SIEM Query:
source="build-server" AND (http.url CONTAINS "@" OR http.user_agent CONTAINS "webpack")