What is the CVSS score of CVE-2025-68157?

CVE-2025-68157 has a CVSS 3.1 base score of 3.7 (Low). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N. EPSS exploitation probability: 0.0%.

Which versions of Webpack are affected by CVE-2025-68157?

CVE-2025-68157 is a low-severity vulnerability in Webpack involving SSRF (CVSS 3.7).. A patch is available.

Is there a public PoC exploit available for CVE-2025-68157?

Yes, a public proof-of-concept exploit is available for CVE-2025-68157. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2025-68157?

During next maintenance window: Apply vendor patches when convenient. Monitor vendor channels for updates.

Webpack CVE-2025-68157

LOW

Server-Side Request Forgery (SSRF) (CWE-918)

2026-02-05 security-advisories@github.com

GHSA-38r7-794h-5758

SSRF Webpack

3.7

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

3.7 LOW

AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

PoC Detected

Feb 13, 2026 - 19:21 vuln.today

Public exploit code

CVE Published

Feb 05, 2026 - 23:15 nvd

LOW 3.7

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

16 npm packages depend on webpack (16 direct, 0 indirect)

Ecosystem-wide dependent count for version 5.49.0.

DescriptionGitHub Advisory

Webpack is a module bundler. From version 5.49.0 to before 5.104.0, when experiments.buildHttp is enabled, webpack’s HTTP(S) resolver (HttpUriPlugin) enforces allowedUris only for the initial URL, but does not re-validate allowedUris after following HTTP 30x redirects. As a result, an import that appears restricted to a trusted allow-list can be redirected to HTTP(S) URLs outside the allow-list. This is a policy/allow-list bypass that enables build-time SSRF behavior (requests from the build machine to internal-only endpoints, depending on network access) and untrusted content inclusion in build outputs (redirected content is treated as module source and bundled). This issue has been patched in version 5.104.0.

AnalysisAI

Technical ContextAI

Classified as CWE-918 (Server-Side Request Forgery (SSRF)). Affects Webpack. Webpack is a module bundler. From version 5.49.0 to before 5.104.0, when experiments.buildHttp is enabled, webpack’s HTTP(S) resolver (HttpUriPlugin) enforces allowedUris only for the initial URL, but does not re-validate allowedUris after following HTTP 30x redirects. As a result, an import that appears restricted to a trusted allow-list can be redirected to HTTP(S) URLs outside the allow-list. This is a policy/allow-list bypass that enables build-time SSRF behavior (requests from the build mac

RemediationAI

Fixed in version 5.104.0.. Restrict network access to the affected service where possible.

CVE-2025-68157 vulnerability details – vuln.today

Back