Your message dated Sun, 29 Mar 2026 16:33:45 +0000
with message-id <[email protected]>
and subject line Bug#1127322: fixed in node-webpack 5.105.4+dfsg1+~cs15.13.23-1
has caused the Debian Bug report #1127322,
regarding node-webpack: CVE-2025-68157 CVE-2025-68458
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1127322: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127322
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: node-webpack
Version: 5.97.1+dfsg1+~cs11.18.27-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerabilities were published for node-webpack.
CVE-2025-68157[0]:
| Webpack is a module bundler. From version 5.49.0 to before 5.104.0,
| when experiments.buildHttp is enabled, webpack’s HTTP(S) resolver
| (HttpUriPlugin) enforces allowedUris only for the initial URL, but
| does not re-validate allowedUris after following HTTP 30x redirects.
| As a result, an import that appears restricted to a trusted allow-
| list can be redirected to HTTP(S) URLs outside the allow-list. This
| is a policy/allow-list bypass that enables build-time SSRF behavior
| (requests from the build machine to internal-only endpoints,
| depending on network access) and untrusted content inclusion in
| build outputs (redirected content is treated as module source and
| bundled). This issue has been patched in version 5.104.0.
CVE-2025-68458[1]:
| Webpack is a module bundler. From version 5.49.0 to before 5.104.1,
| when experiments.buildHttp is enabled, webpack’s HTTP(S) resolver
| (HttpUriPlugin) can be bypassed to fetch resources from hosts
| outside allowedUris by using crafted URLs that include userinfo
| (username:password@host). If allowedUris enforcement relies on a raw
| string prefix check (e.g., uri.startsWith(allowed)), a URL that
| looks allow-listed can pass validation while the actual network
| request is sent to a different authority/host after URL parsing.
| This is a policy/allow-list bypass that enables build-time SSRF
| behavior (outbound requests from the build machine to internal-only
| endpoints, depending on network access) and untrusted content
| inclusion (the fetched response is treated as module source and
| bundled). This issue has been patched in version 5.104.1.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-68157
https://www.cve.org/CVERecord?id=CVE-2025-68157
https://github.com/webpack/webpack/security/advisories/GHSA-38r7-794h-5758
[1] https://security-tracker.debian.org/tracker/CVE-2025-68458
https://www.cve.org/CVERecord?id=CVE-2025-68458
https://github.com/webpack/webpack/security/advisories/GHSA-8fgc-7cc6-rx7x
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: node-webpack
Source-Version: 5.105.4+dfsg1+~cs15.13.23-1
Done: Xavier Guimard <[email protected]>
We believe that the bug you reported is fixed in the latest version of
node-webpack, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Xavier Guimard <[email protected]> (supplier of updated node-webpack package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 29 Mar 2026 18:07:38 +0200
Source: node-webpack
Architecture: source
Version: 5.105.4+dfsg1+~cs15.13.23-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Javascript Maintainers
<[email protected]>
Changed-By: Xavier Guimard <[email protected]>
Closes: 1127322
Changes:
node-webpack (5.105.4+dfsg1+~cs15.13.23-1) experimental; urgency=medium
.
* Team upload
* Fix debian/watch: use webpack-cli@ tag format for webpack-cli component
* Embed fastest-levenshtein (new dependency of webpack-cli 7)
* New upstream version 5.105.4+dfsg1+~cs15.13.23
(Closes: #1127322, CVE-2025-68157, CVE-2025-68458)
- webpack-cli 7.0.2
- terser-webpack-plugin 5.4.0
- discoveryjs-json-ext 1.0.0
- acorn-import-attributes 1.9.5
* Patches:
- drop fix-tsconfig, tsc-workaround, fix-prepareStackTrace-type,
fix-commander-14-compat
- add fix-webpack-cli-tsc-errors
- update webpack-cli
* Update build
Checksums-Sha1:
63dbe90d3891f29216f756f73d42d2f5bfddb35a 5234
node-webpack_5.105.4+dfsg1+~cs15.13.23-1.dsc
1797fc9c16f5cba9e8a4317675235c97760e4ea7 4612
node-webpack_5.105.4+dfsg1+~cs15.13.23.orig-acorn-import-attributes.tar.xz
502e1cd8fc203e0e7a234dda9587af009641edc4 52828
node-webpack_5.105.4+dfsg1+~cs15.13.23.orig-discoveryjs-json-ext.tar.xz
fa7050fd0ee7f94ab8287030916cb3136a3a0c70 5764
node-webpack_5.105.4+dfsg1+~cs15.13.23.orig-fastest-levenshtein.tar.xz
212a4e243d192faab38177bbff97d34b2ff98d6d 189296
node-webpack_5.105.4+dfsg1+~cs15.13.23.orig-terser-webpack-plugin.tar.xz
d757d807697f7ef16d08155d1b3ab0082283dc30 279812
node-webpack_5.105.4+dfsg1+~cs15.13.23.orig-webpack-cli.tar.xz
1ce00aab43e1b6a4c359de3754247b68afeccea7 3634996
node-webpack_5.105.4+dfsg1+~cs15.13.23.orig.tar.xz
fd78306b362a966d9a0291890919ef026e66333b 29824
node-webpack_5.105.4+dfsg1+~cs15.13.23-1.debian.tar.xz
Checksums-Sha256:
214c3016fc972560b881e6a6a6d443815a55e905aa1eee2e88129a80f67f2460 5234
node-webpack_5.105.4+dfsg1+~cs15.13.23-1.dsc
cbf9361b2c196e4addc9d83b166c515baa143851cfcc1cb9287508e7e93036e8 4612
node-webpack_5.105.4+dfsg1+~cs15.13.23.orig-acorn-import-attributes.tar.xz
3f3349e52eceea591fd120bc840c830fa8e31c469f53edcb743ea35445fae662 52828
node-webpack_5.105.4+dfsg1+~cs15.13.23.orig-discoveryjs-json-ext.tar.xz
0216f5194ee58cadb2e5b8c494609f669def14ff8cc8a23165fd2af2266a8f18 5764
node-webpack_5.105.4+dfsg1+~cs15.13.23.orig-fastest-levenshtein.tar.xz
f91530e4b6dcfb2fc113915ef252934c06fbc2f186c4faed227c2c4a0cd2ad82 189296
node-webpack_5.105.4+dfsg1+~cs15.13.23.orig-terser-webpack-plugin.tar.xz
607f98cdb0117a3b563bebe05e929b95fe4baa7201452963b04f0cc0dec70712 279812
node-webpack_5.105.4+dfsg1+~cs15.13.23.orig-webpack-cli.tar.xz
4b681b65f5743caecd338365ba67e9b9bb6bff603317a78656cf6313029f0b7e 3634996
node-webpack_5.105.4+dfsg1+~cs15.13.23.orig.tar.xz
2b3b8d1e777a141d737f0bfe40646b7b2200278b837ec41ffd08bd1101dde89c 29824
node-webpack_5.105.4+dfsg1+~cs15.13.23-1.debian.tar.xz
Files:
0ea2014515c92d5613a32138fda8411b 5234 javascript optional
node-webpack_5.105.4+dfsg1+~cs15.13.23-1.dsc
8d534e7cf97f6332d6d1271964d75856 4612 javascript optional
node-webpack_5.105.4+dfsg1+~cs15.13.23.orig-acorn-import-attributes.tar.xz
0e7854d6794ee6f4f4a4f3bf2f26dfb6 52828 javascript optional
node-webpack_5.105.4+dfsg1+~cs15.13.23.orig-discoveryjs-json-ext.tar.xz
66e44c951560b78a90e3dcd3f0473dff 5764 javascript optional
node-webpack_5.105.4+dfsg1+~cs15.13.23.orig-fastest-levenshtein.tar.xz
4d5a53b4254dc1584e63bf7d5f3a0146 189296 javascript optional
node-webpack_5.105.4+dfsg1+~cs15.13.23.orig-terser-webpack-plugin.tar.xz
db149949d54edbacce5ca17fc863bc6b 279812 javascript optional
node-webpack_5.105.4+dfsg1+~cs15.13.23.orig-webpack-cli.tar.xz
761d77c1e28492c00e3e43dc06977aa8 3634996 javascript optional
node-webpack_5.105.4+dfsg1+~cs15.13.23.orig.tar.xz
2692cfaa5ba2da0d36a8caa15c178c45 29824 javascript optional
node-webpack_5.105.4+dfsg1+~cs15.13.23-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmnJTtEACgkQ9tdMp8mZ
7ulXvxAAgUe8xxTOIK9jFaq+VEb42YkYxBRTd/T75GtUhpT+EZZtLbdZddvfpKqz
qw4WB/ChT62K0EME448HjGI8MU0/DDNRmtK2PU+4ZWS3B6L59D2DZanh6vR2O3Zi
xzNZ8C5g8aIXFzDFQDeEBG7fg4QmQx5JiJtAB7TMCZ0iN7ndxFYq1wsLYoCwQpgA
aETljkF3z0gW6nYE+OR1RQuaNSStrACz37DCZ3x1PdY/miDIuI3HTtSHyrTrur+o
gH0qsQUS1umZAICcCQSrP4CfFNp2cjJ0jo9taF4wm4ymO15oMEVbr45UZ+SDfC0D
ndvSdyG/ZjEmUW259VOBJTvZRk6UpKlad9XK0KQU5LSBAjYRAAHq4TmMjDCAI8JN
7XiCUgxs+Zisx6sDAipEG6oqTrBNzUspnlj9X16ctBWCWUEi+dSd4ZJirVelzhXE
wem+MazvrzVgawuTeqV3Z5xb1JFgLcnk08kvG1+pmoxGD5UmFqKFj3/FSoXTvkYS
MCEHHkHsbt0k+LhKYFDWhYNLzAHnDKSS/hpI4Uqu9JsyHpCqubkF5CpvNDDxNM8N
OFVaXYqjJa4koyUd441bTTJ+DpwHcAOcnRmqYsOK/tY71a2ysbTJxsuFYwdaiAR0
/05/JSp/4j6+EykYv2G+sne8UySHUnL346MWRlzWZqF5J6kls40=
=8FPk
-----END PGP SIGNATURE-----
pgpRgYG0OVRas.pgp
Description: PGP signature
--- End Message ---
