2437209 – (CVE-2025-68458) CVE-2025-68458 webpack: webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior

Bug 2437209 (CVE-2025-68458) - CVE-2025-68458 webpack: webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior

Summary: CVE-2025-68458 webpack: webpack buildHttp: allowedUris allow-list bypass via ...

Keywords:
Status:	NEW
Alias:	CVE-2025-68458
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2437330 2437331 2437333 2437337 2437339 2437341 2437343 2437345 2437349 2437351 2437355 2437357 2437359 2437361 2437363 2437365 2437367 2437369 2437373 2437379 2437381 2437383 2437385 2437387 2437389 2437391 2437393 2437397 2437399 2437332 2437334 2437335 2437347 2437353 2437371 2437375 2437377 2437395 2437401 2437403
Blocks:
TreeView+	depends on / blocked

Reported:	2026-02-06 00:01 UTC by OSIDB Bzimport
Modified:	2026-02-06 18:29 UTC (History)
CC List:	117 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-02-06 00:01:23 UTC

Webpack is a module bundler. From version 5.49.0 to before 5.104.1, when experiments.buildHttp is enabled, webpack’s HTTP(S) resolver (HttpUriPlugin) can be bypassed to fetch resources from hosts outside allowedUris by using crafted URLs that include userinfo (username:password@host). If allowedUris enforcement relies on a raw string prefix check (e.g., uri.startsWith(allowed)), a URL that looks allow-listed can pass validation while the actual network request is sent to a different authority/host after URL parsing. This is a policy/allow-list bypass that enables build-time SSRF behavior (outbound requests from the build machine to internal-only endpoints, depending on network access) and untrusted content inclusion (the fetched response is treated as module source and bundled). This issue has been patched in version 5.104.1.

Note You need to log in before you can comment on or make changes to this bug.

aazores
abarbaro
abrianik
adudiak
akostadi
alcohan
alizardo
amasferr
anjoseph
anpicker
anthomas
asoldano
bbaranow
bbrownin
bdettelb
bmaxwell
bparees
brian.stansberry
caswilli
chfoley
cmah
darran.lofthouse
dhanak
dmayorov
doconnor
dosoudil
drosa
dschmidt
eaguilar
ebaron
ehelms
erezende
eric.wittmann
fjuma
ggainey
ggrzybek
gmalinko
gparvin
hasun
ibek
istudens
ivassile
iweiss
janstey
jbalunas
jcantril
jchui
jfula
jhe
jkoehler
jlledo
jolong
jowilson
jprabhak
jrokos
jscholz
juwatts
jwong
kaycoth
kshier
ktsao
kverlaen
lball
lchilton
lphiri
manissin
mattdavi
mhulan
mnovotny
mosmerov
msvehla
nboldt
ngough
nipatil
nmoumoul
nwallace
nyancey
omaciel
ometelka
osousa
pahickey
pantinor
parichar
pberan
pbizzarr
pcreech
pdelbell
pesilva
pjindal
pmackay
psrna
ptisnovs
rchan
rhaigner
rkubis
rojacob
rstancel
rstepani
sausingh
sdawley
sfeifer
smaestri
smallamp
smcdonal
stcannon
swoodman
syedriko
tasato
teagle
tmalecek
tom.jenkinson
tsedmik
ttakamiy
veshanka
wtam
xdharmai
yguenane