{"id":"CVE-2025-68157","summary":"webpack buildHttp HttpUriPlugin allowedUris bypass via HTTP redirects","details":"Webpack is a module bundler. From version 5.49.0 to before 5.104.0, when experiments.buildHttp is enabled, webpack’s HTTP(S) resolver (HttpUriPlugin) enforces allowedUris only for the initial URL, but does not re-validate allowedUris after following HTTP 30x redirects. As a result, an import that appears restricted to a trusted allow-list can be redirected to HTTP(S) URLs outside the allow-list. This is a policy/allow-list bypass that enables build-time SSRF behavior (requests from the build machine to internal-only endpoints, depending on network access) and untrusted content inclusion in build outputs (redirected content is treated as module source and bundled). This issue has been patched in version 5.104.0.","aliases":["GHSA-38r7-794h-5758"],"modified":"2026-04-10T05:34:57.765225Z","published":"2026-02-05T23:08:13.214Z","related":["CGA-g927-hh9p-hjwv"],"database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68157.json","cwe_ids":["CWE-918"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68157.json"},{"type":"ADVISORY","url":"https://github.com/webpack/webpack/security/advisories/GHSA-38r7-794h-5758"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68157"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/webpack/webpack","events":[{"introduced":"d3868384c37f9d674d1db17a0198393bd213c763"},{"fixed":"505a5e744fbcf4471ddb534bf1d4aebea9643c1b"}]}],"versions":["v5.100.0","v5.100.1","v5.100.2","v5.101.0","v5.101.1","v5.101.2","v5.101.3","v5.102.0","v5.102.1","v5.103.0","v5.49.0","v5.50.0","v5.51.0","v5.51.1","v5.51.2","v5.52.0","v5.52.1","v5.53.0","v5.54.0","v5.55.0","v5.55.1","v5.56.0","v5.56.1","v5.57.0","v5.57.1","v5.58.0","v5.58.1","v5.58.2","v5.59.0","v5.59.1","v5.60.0","v5.61.0","v5.62.0","v5.62.1","v5.62.2","v5.63.0","v5.64.0","v5.64.1","v5.64.2","v5.64.3","v5.64.4","v5.65.0","v5.66.0","v5.67.0","v5.68.0","v5.69.0","v5.69.1","v5.70.0","v5.71.0","v5.72.0","v5.72.1","v5.73.0","v5.74.0","v5.75.0","v5.76.0","v5.76.1","v5.76.2","v5.76.3","v5.77.0","v5.78.0","v5.79.0","v5.80.0","v5.81.0","v5.82.0","v5.82.1","v5.83.0","v5.83.1","v5.84.0","v5.84.1","v5.85.0","v5.85.1","v5.86.0","v5.87.0","v5.88.0","v5.88.1","v5.88.2","v5.89.0","v5.90.0","v5.90.1","v5.90.2","v5.90.3","v5.91.0","v5.92.0","v5.92.1","v5.93.0","v5.94.0","v5.95.0","v5.96.0","v5.96.1","v5.97.0","v5.97.1","v5.99.0","v5.99.1","v5.99.2","v5.99.3","v5.99.4","v5.99.5","v5.99.6","v5.99.7","v5.99.8","v5.99.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-68157.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N"}]}