Bug 2437210 (CVE-2025-68157) - CVE-2025-68157 webpack: webpack buildHttp HttpUriPlugin allowedUris bypass via HTTP redirects
Summary: CVE-2025-68157 webpack: webpack buildHttp HttpUriPlugin allowedUris bypass vi...
Keywords:
Status: NEW
Alias: CVE-2025-68157
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2437336 2437338 2437342 2437348 2437350 2437352 2437354 2437356 2437360 2437362 2437366 2437368 2437370 2437372 2437374 2437376 2437378 2437380 2437384 2437390 2437392 2437394 2437396 2437398 2437400 2437402 2437404 2437406 2437407 2437340 2437344 2437346 2437358 2437364 2437382 2437386 2437388 2437405 2437408 2437409
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-02-06 00:01 UTC by OSIDB Bzimport
Modified: 2026-02-06 18:29 UTC (History)
117 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-02-06 00:01:25 UTC 
Webpack is a module bundler. From version 5.49.0 to before 5.104.0, when experiments.buildHttp is enabled, webpack’s HTTP(S) resolver (HttpUriPlugin) enforces allowedUris only for the initial URL, but does not re-validate allowedUris after following HTTP 30x redirects. As a result, an import that appears restricted to a trusted allow-list can be redirected to HTTP(S) URLs outside the allow-list. This is a policy/allow-list bypass that enables build-time SSRF behavior (requests from the build machine to internal-only endpoints, depending on network access) and untrusted content inclusion in build outputs (redirected content is treated as module source and bundled). This issue has been patched in version 5.104.0.
Note You need to log in before you can comment on or make changes to this bug.