Source: node-webpack Version: 5.97.1+dfsg1+~cs11.18.27-3 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerabilities were published for node-webpack. CVE-2025-68157[0]: | Webpack is a module bundler. From version 5.49.0 to before 5.104.0, | when experiments.buildHttp is enabled, webpack’s HTTP(S) resolver | (HttpUriPlugin) enforces allowedUris only for the initial URL, but | does not re-validate allowedUris after following HTTP 30x redirects. | As a result, an import that appears restricted to a trusted allow- | list can be redirected to HTTP(S) URLs outside the allow-list. This | is a policy/allow-list bypass that enables build-time SSRF behavior | (requests from the build machine to internal-only endpoints, | depending on network access) and untrusted content inclusion in | build outputs (redirected content is treated as module source and | bundled). This issue has been patched in version 5.104.0. CVE-2025-68458[1]: | Webpack is a module bundler. From version 5.49.0 to before 5.104.1, | when experiments.buildHttp is enabled, webpack’s HTTP(S) resolver | (HttpUriPlugin) can be bypassed to fetch resources from hosts | outside allowedUris by using crafted URLs that include userinfo | (username:password@host). If allowedUris enforcement relies on a raw | string prefix check (e.g., uri.startsWith(allowed)), a URL that | looks allow-listed can pass validation while the actual network | request is sent to a different authority/host after URL parsing. | This is a policy/allow-list bypass that enables build-time SSRF | behavior (outbound requests from the build machine to internal-only | endpoints, depending on network access) and untrusted content | inclusion (the fetched response is treated as module source and | bundled). This issue has been patched in version 5.104.1. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-68157 https://www.cve.org/CVERecord?id=CVE-2025-68157 https://github.com/webpack/webpack/security/advisories/GHSA-38r7-794h-5758 [1] https://security-tracker.debian.org/tracker/CVE-2025-68458 https://www.cve.org/CVERecord?id=CVE-2025-68458 https://github.com/webpack/webpack/security/advisories/GHSA-8fgc-7cc6-rx7x Please adjust the affected versions in the BTS as needed. Regards, Salvatore
