CVE-2025-68458
中文标题:
(暂无数据)
英文标题:
webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior
漏洞描述
中文描述:
(暂无数据)
英文描述:
Webpack is a module bundler. From version 5.49.0 to before 5.104.1, when experiments.buildHttp is enabled, webpack’s HTTP(S) resolver (HttpUriPlugin) can be bypassed to fetch resources from hosts outside allowedUris by using crafted URLs that include userinfo (username:password@host). If allowedUris enforcement relies on a raw string prefix check (e.g., uri.startsWith(allowed)), a URL that looks allow-listed can pass validation while the actual network request is sent to a different authority/host after URL parsing. This is a policy/allow-list bypass that enables build-time SSRF behavior (outbound requests from the build machine to internal-only endpoints, depending on network access) and untrusted content inclusion (the fetched response is treated as module source and bundled). This issue has been patched in version 5.104.1.
CWE类型:
标签:
受影响产品
| 厂商 | 产品 | 版本 | 版本范围 | 平台 | CPE |
|---|---|---|---|---|---|
| webpack | webpack | >= 5.49.0, < 5.104.1 | - | - |
cpe:2.3:a:webpack:webpack:>=_5.49.0,_<_5.104.1:*:*:*:*:*:*:*
|
| webpack.js | webpack | * | - | - |
cpe:2.3:a:webpack.js:webpack:*:*:*:*:*:node.js:*:*
|
解决方案
中文解决方案:
英文解决方案:
临时解决方案:
参考链接
cve.org
CVSS评分详情
3.1 (cna)
LOWCVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N
时间信息
利用信息
数据源详情
| 数据源 | 记录ID | 版本 | 提取时间 |
|---|---|---|---|
| CVE | cve_CVE-2025-68458 |
2026-02-06 03:17:22 | 2026-02-05 22:00:08 |
| NVD | nvd_CVE-2025-68458 |
2026-02-06 02:00:04 | 2026-02-05 22:00:14 |
版本与语言
安全公告
变更历史
查看详细变更
- affected_products_count: 1 -> 2
查看详细变更
- data_sources: ['cve'] -> ['cve', 'nvd']