CNNVD-202602-899 Information
CNNVD ID
CNNVD-202602-899
Related CVE
- CNNVD Published: 2026-02-05
Description (Chinese)
Webpack是Webpack开源的一个模块打包器。它的主要目的是捆绑 JavaScript 文件以便在浏览器中使用,但它也能够转换、捆绑或打包几乎任何资源或资产。 Webpack 5.49.0至5.104.0之前版本存在代码问题漏洞,该漏洞源于当启用experiments.buildHttp时,HTTP(S)解析器在遵循HTTP 30x重定向后未重新验证allowedUris,可能导致策略或允许列表绕过,从而在构建时引发服务端请求伪造行为。
Description (English)
Webpack is a modular packer from the Webpack open source. Its main purpose is to bind the JavaScript file for use in the browser, but it can also convert, bind or package almost any resource or asset. Webpack 5.49.0 to 5.104.0 has a code problem loophole, which stems from the failure of the HTTP(S) resolver to revalidate the Alarlowed Uris after following HTTP 30x re-direction, which may result in a strategy or allow the list to be bypassed, thus triggering a service-side request for forgery at the time of construction.
Hazard Level
High
Vulnerability Type
代码问题
Affected Vendor
webpack
Published
2026-02-05
Last Modified
2026-02-24
References
https://github.com/webpack/webpack/security/advisories/GHSA-38r7-794h-5758
Patch
https://github.com/webpack/webpack/releases
Share on: