{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-27T07:30:30.870","vulnerabilities":[{"cve":{"id":"CVE-2025-68458","sourceIdentifier":"security-advisories@github.com","published":"2026-02-05T23:15:53.940","lastModified":"2026-02-13T19:16:14.680","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Webpack is a module bundler. From version 5.49.0 to before 5.104.1, when experiments.buildHttp is enabled, webpack’s HTTP(S) resolver (HttpUriPlugin) can be bypassed to fetch resources from hosts outside allowedUris by using crafted URLs that include userinfo (username:password@host). If allowedUris enforcement relies on a raw string prefix check (e.g., uri.startsWith(allowed)), a URL that looks allow-listed can pass validation while the actual network request is sent to a different authority/host after URL parsing. This is a policy/allow-list bypass that enables build-time SSRF behavior (outbound requests from the build machine to internal-only endpoints, depending on network access) and untrusted content inclusion (the fetched response is treated as module source and bundled). This issue has been patched in version 5.104.1."},{"lang":"es","value":"Webpack es un empaquetador de módulos. Desde la versión 5.49.0 hasta antes de la 5.104.1, cuando experiments.buildHttp está habilitado, el resolvedor HTTP(S) de webpack (HttpUriPlugin) puede ser eludido para obtener recursos de hosts fuera de allowedUris utilizando URLs manipuladas que incluyen userinfo (username:password@host). Si la aplicación de allowedUris se basa en una comprobación de prefijo de cadena sin procesar (por ejemplo, uri.startsWith(allowed)), una URL que parece estar en la lista de permitidos puede pasar la validación mientras que la solicitud de red real se envía a una autoridad/host diferente después del análisis de la URL. Esto es una omisión de política/lista de permitidos que habilita el comportamiento SSRF en tiempo de compilación (solicitudes salientes desde la máquina de compilación a puntos finales solo internos, dependiendo del acceso a la red) y la inclusión de contenido no confiable (la respuesta obtenida se trata como fuente de módulo y se empaqueta). Este problema ha sido parcheado en la versión 5.104.1."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N","baseScore":3.7,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":1.2,"impactScore":2.5}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-918"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:webpack.js:webpack:*:*:*:*:*:node.js:*:*","versionStartIncluding":"5.49.0","versionEndExcluding":"5.104.1","matchCriteriaId":"0AEEDFC3-E074-45A4-8E77-E10FE80A8054"}]}]}],"references":[{"url":"https://github.com/webpack/webpack/security/advisories/GHSA-8fgc-7cc6-rx7x","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"]}]}}]}