Skip to main content

Webpack

2 CVEs product

Monthly

Sort: Newest CVSS Score EPSS Score Oldest
CVE-2025-68458 npm LOW POC PATCH Monitor

Webpack is a module bundler. From version 5.49.0 to before 5.104.1, when experiments.buildHttp is enabled, webpack’s HTTP(S) resolver (HttpUriPlugin) can be bypassed to fetch resources from hosts outside allowedUris by using crafted URLs that include userinfo (username:password@host). [CVSS 3.7 LOW]

SSRF Webpack
NVD GitHub
CVSS 3.1
3.7
EPSS
0.0%
CVE-2025-68157 npm LOW POC PATCH Monitor

Webpack is a module bundler. From version 5.49.0 to before 5.104.0, when experiments.buildHttp is enabled, webpack’s HTTP(S) resolver (HttpUriPlugin) enforces allowedUris only for the initial URL, but does not re-validate allowedUris after following HTTP 30x redirects. [CVSS 3.7 LOW]

SSRF Webpack
NVD GitHub
CVSS 3.1
3.7
EPSS
0.0%
CVE-2025-68458 npm
EPSS 0% CVSS 3.7
LOW POC PATCH Monitor

Webpack is a module bundler. From version 5.49.0 to before 5.104.1, when experiments.buildHttp is enabled, webpack’s HTTP(S) resolver (HttpUriPlugin) can be bypassed to fetch resources from hosts outside allowedUris by using crafted URLs that include userinfo (username:password@host). [CVSS 3.7 LOW]

SSRF Webpack
NVD GitHub
CVE-2025-68157 npm
EPSS 0% CVSS 3.7
LOW POC PATCH Monitor

Webpack is a module bundler. From version 5.49.0 to before 5.104.0, when experiments.buildHttp is enabled, webpack’s HTTP(S) resolver (HttpUriPlugin) enforces allowedUris only for the initial URL, but does not re-validate allowedUris after following HTTP 30x redirects. [CVSS 3.7 LOW]

SSRF Webpack
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy