CNNVD-202602-898 Information

Feb 05, 2026 cve

CNNVD ID

CNNVD-202602-898

CVE-2025-68458

  • CNNVD Published: 2026-02-05

Description (Chinese)

Webpack是Webpack开源的一个模块打包器。它的主要目的是捆绑 JavaScript 文件以便在浏览器中使用,但它也能够转换、捆绑或打包几乎任何资源或资产。 Webpack 5.49.0至5.104.1之前版本存在代码问题漏洞,该漏洞源于当启用experiments.buildHttp时,可通过使用包含用户信息的特制URL绕过HTTP(S)解析器以从允许列表外的主机获取资源,可能导致策略或允许列表绕过,从而在构建时引发服务端请求伪造行为。

Description (English)

Webpack is a modular packer from the Webpack open source. Its main purpose is to bind the JavaScript file for use in the browser, but it can also convert, bind or package almost any resource or asset. Webpack 5.49.0 to 5.104.1 has a code problem loophole that arises when access is enabled.buildHttp, the use of a customized URL containing user information to bypass HTTP(S) solver to obtain resources from a host outside the permitted list may result in a strategy or allow a list to be bypassed, thus triggering a service-side request for forgery at the time of construction.

Hazard Level

High

Vulnerability Type

代码问题

Affected Vendor

webpack

Published

2026-02-05

Last Modified

2026-02-24

References

https://github.com/webpack/webpack/security/advisories/GHSA-8fgc-7cc6-rx7x

Patch

https://github.com/webpack/webpack/releases

Share on: