CVE-2025-68157 - Vulnerability Details

Webpack is a module bundler. From version 5.49.0 to before 5.104.0, when experiments.buildHttp is enabled, webpack’s HTTP(S) resolver (HttpUriPlugin) enforces allowedUris only for the initial URL, but does not re-validate allowedUris after following HTTP 30x redirects. As a result, an import that appears restricted to a trusted allow-list can be redirected to HTTP(S) URLs outside the allow-list. This is a policy/allow-list bypass that enables build-time SSRF behavior (requests from the build machine to internal-only endpoints, depending on network access) and untrusted content inclusion in build outputs (redirected content is treated as module source and bundled). This issue has been patched in version 5.104.0.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable no

Technical Impact partial

Vendors	Products
Webpack	Webpack

No data.

References

Link	Providers
https://github.com/webpack/webpack/security/advisories/GHSA-38r7-794h-5758
https://nvd.nist.gov/vuln/detail/CVE-2025-68157
https://www.cve.org/CVERecord?id=CVE-2025-68157

History

Sat, 07 Feb 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2025-68157 https://www.cve.org/CVERecord?id=CVE-2025-68157
Metrics	threat_severity `None`	threat_severity `Low`

Fri, 06 Feb 2026 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 06 Feb 2026 12:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Webpack Webpack webpack
Vendors & Products		Webpack Webpack webpack

Thu, 05 Feb 2026 23:15:00 +0000

Type	Values Removed	Values Added
Description		Webpack is a module bundler. From version 5.49.0 to before 5.104.0, when experiments.buildHttp is enabled, webpack’s HTTP(S) resolver (HttpUriPlugin) enforces allowedUris only for the initial URL, but does not re-validate allowedUris after following HTTP 30x redirects. As a result, an import that appears restricted to a trusted allow-list can be redirected to HTTP(S) URLs outside the allow-list. This is a policy/allow-list bypass that enables build-time SSRF behavior (requests from the build machine to internal-only endpoints, depending on network access) and untrusted content inclusion in build outputs (redirected content is treated as module source and bundled). This issue has been patched in version 5.104.0.
Title		webpack buildHttp HttpUriPlugin allowedUris bypass via HTTP redirects
Weaknesses		CWE-918
References		https://github.com/webpack/webpack/security/advisories/GHSA-38r7-794h-5758
Metrics		cvssV3_1 `{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-02-05T23:08:13.214Z

Updated: 2026-02-06T19:29:14.352Z

Reserved: 2025-12-15T23:02:17.604Z

Link: CVE-2025-68157

Vulnrichment

Updated: 2026-02-06T19:29:10.004Z

NVD

Status : Awaiting Analysis

Published: 2026-02-05T23:15:53.777

Modified: 2026-02-06T15:14:47.703

Link: CVE-2025-68157

Redhat

Severity : Low

Publid Date: 2026-02-05T23:08:13Z

Links: CVE-2025-68157 - Bugzilla

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation poc

Automatable no

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object