## Webpack Security Flaw (CVE-2025-68458) Allows Bypass of HTTP Resource Restrictions
A critical security vulnerability in the popular JavaScript module bundler, webpack, allows attackers to bypass configured resource restrictions and fetch code from unauthorized external servers. The flaw, tracked as CVE-2025-68458, is present when the experimental `experiments.buildHttp` feature is enabled. It exploits the HTTP(S) resolver's handling of URLs containing userinfo (e.g., `username:password@host`) to circumvent `allowedUris` lists that rely on simple string prefix matching.

Specifically, the `HttpUriPlugin` can be tricked into fetching resources from hosts explicitly blocked by an allowlist. If a developer's security configuration checks if a URI starts with a trusted string like `https://cdn.example.com/`, a malicious actor could craft a URL like `https://cdn.example.com@evil.com/`. The resolver may incorrectly process this, connecting to `evil.com` instead of the intended `cdn.example.com`. This creates a direct supply chain attack vector, enabling the injection of untrusted code into the build process.

The vulnerability underscores the persistent risks in complex build toolchains and dependency management. Projects using `experiments.buildHttp` for fetching remote modules or assets are immediately at risk. The fix is included in webpack v5.104.1; all teams must urgently update from vulnerable versions like 5.99.9. This incident highlights how subtle parsing differences between URL standards and security enforcement logic can create exploitable gaps in widely-used open-source infrastructure.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: cybersecurity, software supply chain, open source, vulnerability, CVE-2025-68458
- **Credibility**: unverified
- **Published**: 2026-04-15 09:22:41
- **ID**: 65238
- **URL**: https://whisperx.ai/en/intel/65238