CVE-2025-68157
- Source
- https://cve.org/CVERecord?id=CVE-2025-68157
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-68157.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-68157
- Aliases
- Downstream
- Published
- 2026-02-05T23:08:13.214Z
- Modified
- 2026-02-07T02:36:24.745904Z
- Severity
-
- 3.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N CVSS Calculator
- Summary
- webpack buildHttp HttpUriPlugin allowedUris bypass via HTTP redirects
- Details
-
Webpack is a module bundler. From version 5.49.0 to before 5.104.0, when experiments.buildHttp is enabled, webpack’s HTTP(S) resolver (HttpUriPlugin) enforces allowedUris only for the initial URL, but does not re-validate allowedUris after following HTTP 30x redirects. As a result, an import that appears restricted to a trusted allow-list can be redirected to HTTP(S) URLs outside the allow-list. This is a policy/allow-list bypass that enables build-time SSRF behavior (requests from the build machine to internal-only endpoints, depending on network access) and untrusted content inclusion in build outputs (redirected content is treated as module source and bundled). This issue has been patched in version 5.104.0.
- Database specific
{ "cwe_ids": [ "CWE-918" ], "cna_assigner": "GitHub_M", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68157.json" }- References
Affected packages
Git / github.com/webpack/webpack
Affected versions
v5.*
v5.100.0
v5.100.1
v5.100.2
v5.101.0
v5.101.1
v5.101.2
v5.101.3
v5.102.0
v5.102.1
v5.103.0
v5.49.0
v5.50.0
v5.51.0
v5.51.1
v5.51.2
v5.52.0
v5.52.1
v5.53.0
v5.54.0
v5.55.0
v5.55.1
v5.56.0
v5.56.1
v5.57.0
v5.57.1
v5.58.0
v5.58.1
v5.58.2
v5.59.0
v5.59.1
v5.60.0
v5.61.0
v5.62.0
v5.62.1
v5.62.2
v5.63.0
v5.64.0
v5.64.1
v5.64.2
v5.64.3
v5.64.4
v5.65.0
v5.66.0
v5.67.0
v5.68.0
v5.69.0
v5.69.1
v5.70.0
v5.71.0
v5.72.0
v5.72.1
v5.73.0
v5.74.0
v5.75.0
v5.76.0
v5.76.1
v5.76.2
v5.76.3
v5.77.0
v5.78.0
v5.79.0
v5.80.0
v5.81.0
v5.82.0
v5.82.1
v5.83.0
v5.83.1
v5.84.0
v5.84.1
v5.85.0
v5.85.1
v5.86.0
v5.87.0
v5.88.0
v5.88.1
v5.88.2
v5.89.0
v5.90.0
v5.90.1
v5.90.2
v5.90.3
v5.91.0
v5.92.0
v5.92.1
v5.93.0
v5.94.0
v5.95.0
v5.96.0
v5.96.1
v5.97.0
v5.97.1
v5.99.0
v5.99.1
v5.99.2
v5.99.3
v5.99.4
v5.99.5
v5.99.6
v5.99.7
v5.99.8
v5.99.9