SSRF in Webpack
CVE-2025-68458
Webpack is a module bundler. From version 5.49.0 to before 5.104.1, when experiments.buildHttp is enabled, webpack’s HTTP(S) resolver (HttpUriPlugin) can be bypassed to fetch resources from hosts outside allowedUris by using crafted URLs t…
Vulnerability class: SSRF (Server-Side Request Forgery)
EPSS: 0.002 (10.0th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 3.7 (Low). Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N.
Affected products
- Webpack — versions >= 5.49.0, < 5.104.1
- Webpack.js Webpack
Weakness classification (CWE)
References
- security-advisories@github.com (x_refsource_CONFIRM, Exploit, Vendor Advisory)
Frequently asked questions
- What is CVE-2025-68458?
- CVE-2025-68458 is a low-severity vulnerability in Webpack, classified under Server-Side Request Forgery (SSRF). CVSS score: 3.7/10. Published 2026-02-05.
- How severe is CVE-2025-68458?
- Low severity. CVSS v3 base score is 3.7 out of 10.