CVE-2025-68458

{"id": "CVE-2025-68458", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2025-68458", "role": "CISA Coordinator", "options": [{"exploitation": "poc"}, {"automatable": "no"}, {"technicalImpact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-06T20:26:49.112788Z"}}], "cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 1.2}]}, "affected": [{"source": "security-advisories@github.com", "affectedData": [{"vendor": "webpack", "product": "webpack", "versions": [{"status": "affected", "version": ">= 5.49.0, < 5.104.1"}]}]}], "published": "2026-02-05T23:15:53.940", "references": [{"url": "https://github.com/webpack/webpack/security/advisories/GHSA-8fgc-7cc6-rx7x", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-918"}]}], "descriptions": [{"lang": "en", "value": "Webpack is a module bundler. From version 5.49.0 to before 5.104.1, when experiments.buildHttp is enabled, webpack\u2019s HTTP(S) resolver (HttpUriPlugin) can be bypassed to fetch resources from hosts outside allowedUris by using crafted URLs that include userinfo (username:password@host). If allowedUris enforcement relies on a raw string prefix check (e.g., uri.startsWith(allowed)), a URL that looks allow-listed can pass validation while the actual network request is sent to a different authority/host after URL parsing. This is a policy/allow-list bypass that enables build-time SSRF behavior (outbound requests from the build machine to internal-only endpoints, depending on network access) and untrusted content inclusion (the fetched response is treated as module source and bundled). This issue has been patched in version 5.104.1."}, {"lang": "es", "value": "Webpack es un empaquetador de m\u00f3dulos. Desde la versi\u00f3n 5.49.0 hasta antes de la 5.104.1, cuando experiments.buildHttp est\u00e1 habilitado, el resolvedor HTTP(S) de webpack (HttpUriPlugin) puede ser eludido para obtener recursos de hosts fuera de allowedUris utilizando URLs manipuladas que incluyen userinfo (username:password@host). Si la aplicaci\u00f3n de allowedUris se basa en una comprobaci\u00f3n de prefijo de cadena sin procesar (por ejemplo, uri.startsWith(allowed)), una URL que parece estar en la lista de permitidos puede pasar la validaci\u00f3n mientras que la solicitud de red real se env\u00eda a una autoridad/host diferente despu\u00e9s del an\u00e1lisis de la URL. Esto es una omisi\u00f3n de pol\u00edtica/lista de permitidos que habilita el comportamiento SSRF en tiempo de compilaci\u00f3n (solicitudes salientes desde la m\u00e1quina de compilaci\u00f3n a puntos finales solo internos, dependiendo del acceso a la red) y la inclusi\u00f3n de contenido no confiable (la respuesta obtenida se trata como fuente de m\u00f3dulo y se empaqueta). Este problema ha sido parcheado en la versi\u00f3n 5.104.1."}], "lastModified": "2026-06-17T09:59:05.960", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:webpack.js:webpack:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "0AEEDFC3-E074-45A4-8E77-E10FE80A8054", "versionEndExcluding": "5.104.1", "versionStartIncluding": "5.49.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}