## Webpack 5.104.1 Patches SSRF Vulnerability in buildHttp allowedUris Bypass
A security-critical update to webpack addresses a vulnerability that could allow attackers to bypass URL allow-lists and trigger server-side request forgery (SSRF) during build processes. The patch, released as webpack version 5.104.1, resolves CVE-2025-68458 (GHSA-8fgc-7cc6-rx7x), which affects the experimental `buildHttp` feature when `allowedUris` configuration is in use. Organizations running affected versions with this feature enabled face potential exposure to unauthorized network requests during compilation.

The vulnerability exploits a flaw in webpack's HTTP(S) resolver, specifically within the `HttpUriPlugin`. By manipulating URL userinfo components—using the `@` symbol in URLs—attackers can circumvent the `allowedUris` allow-list mechanism designed to restrict which external resources webpack can fetch at build time. This bypass enables the tool to retrieve resources from unintended origins, effectively turning the build process into an SSRF vector. The attack surface is limited to projects that have explicitly enabled `experiments.buildHttp`, but for those configurations, the security implications are significant.

Developers and DevOps teams should immediately assess whether their webpack configurations use the `experiments.buildHttp` option with `allowedUris` restrictions. The update from version 5.99.7 to 5.104.1 closes the bypass vector. Automated dependency management tools such as Renovate are already flagging this as a security-priority update. Given webpack's ubiquity in modern JavaScript build pipelines, the vulnerability warrants urgent attention—particularly in CI/CD environments where build processes may have broader network access than anticipated.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: webpack, SSRF, CVE-2025-68458, security vulnerability, buildHttp
- **Credibility**: unverified
- **Published**: 2026-05-10 12:01:39
- **ID**: 81519
- **URL**: https://whisperx.ai/en/intel/81519