What is the CVSS score of CVE-2025-68458?

CVE-2025-68458 has a CVSS 3.1 base score of 3.7 (Low). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N. EPSS exploitation probability: 0.0%.

Which versions of Webpack are affected by CVE-2025-68458?

CVE-2025-68458 is a low-severity vulnerability in Webpack involving SSRF (CVSS 3.7).. A patch is available.

Is there a public PoC exploit available for CVE-2025-68458?

Yes, a public proof-of-concept exploit is available for CVE-2025-68458. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2025-68458?

During next maintenance window: Apply vendor patches when convenient. Monitor vendor channels for updates.

Webpack CVE-2025-68458

LOW

Server-Side Request Forgery (SSRF) (CWE-918)

2026-02-05 security-advisories@github.com

GHSA-8fgc-7cc6-rx7x

SSRF Webpack

3.7

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

3.7 LOW

AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

PoC Detected

Feb 13, 2026 - 19:16 vuln.today

Public exploit code

CVE Published

Feb 05, 2026 - 23:15 nvd

LOW 3.7

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

16 npm packages depend on webpack (16 direct, 0 indirect)

Ecosystem-wide dependent count for version 5.49.0.

DescriptionGitHub Advisory

Webpack is a module bundler. From version 5.49.0 to before 5.104.1, when experiments.buildHttp is enabled, webpack’s HTTP(S) resolver (HttpUriPlugin) can be bypassed to fetch resources from hosts outside allowedUris by using crafted URLs that include userinfo (username:password@host). If allowedUris enforcement relies on a raw string prefix check (e.g., uri.startsWith(allowed)), a URL that looks allow-listed can pass validation while the actual network request is sent to a different authority/host after URL parsing. This is a policy/allow-list bypass that enables build-time SSRF behavior (outbound requests from the build machine to internal-only endpoints, depending on network access) and untrusted content inclusion (the fetched response is treated as module source and bundled). This issue has been patched in version 5.104.1.

AnalysisAI

Technical ContextAI

Classified as CWE-918 (Server-Side Request Forgery (SSRF)). Affects Webpack. Webpack is a module bundler. From version 5.49.0 to before 5.104.1, when experiments.buildHttp is enabled, webpack’s HTTP(S) resolver (HttpUriPlugin) can be bypassed to fetch resources from hosts outside allowedUris by using crafted URLs that include userinfo (username:password@host). If allowedUris enforcement relies on a raw string prefix check (e.g., uri.startsWith(allowed)), a URL that looks allow-listed can pass validation while the actual network request is sent to a different authority/ho

RemediationAI

Fixed in version 5.104.1.. Restrict network access to the affected service where possible.

CVE-2025-68458 vulnerability details – vuln.today

Back