Webpack Security Flaw (CVE-2025-68458) Allows Bypass of HTTP Resource Restrictions

A critical security vulnerability in the popular JavaScript module bundler, webpack, allows attackers to bypass configured resource restrictions and fetch code from unauthorized external servers. The flaw, tracked as CVE-2025-68458, is present when the experimental `experiments.buildHttp` feature is enabled. It exploits the HTTP(S) resolver's handling of URLs containing userinfo (e.g., `username:password@host`) to circumvent `allowedUris` lists that rely on simple string prefix matching.

Specifically, the `HttpUriPlugin` can be tricked into fetching resources from hosts explicitly blocked by an allowlist. If a developer's security configuration checks if a URI starts with a trusted string like `https://cdn.example.com/`, a malicious actor could craft a URL like `https://[email protected]/`. The resolver may incorrectly process this, connecting to `evil.com` instead of the intended `cdn.example.com`. This creates a direct supply chain attack vector, enabling the injection of untrusted code into the build process.

The vulnerability underscores the persistent risks in complex build toolchains and dependency management. Projects using `experiments.buildHttp` for fetching remote modules or assets are immediately at risk. The fix is included in webpack v5.104.1; all teams must urgently update from vulnerable versions like 5.99.9. This incident highlights how subtle parsing differences between URL standards and security enforcement logic can create exploitable gaps in widely-used open-source infrastructure.