fix: bump webpack to ≥5.104.1 (CVE-2025-68458 / GHSA-8fgc-7cc6-rx7x)#2017
Draft
mikeharder with Copilot wants to merge 2 commits into
Draft
fix: bump webpack to ≥5.104.1 (CVE-2025-68458 / GHSA-8fgc-7cc6-rx7x)#2017mikeharder with Copilot wants to merge 2 commits into
mikeharder with Copilot wants to merge 2 commits into
Conversation
Copilot
AI
changed the title
[WIP] Fix webpack buildHttp allowedUris allow-list bypass vulnerability
fix: bump webpack to ≥5.104.1 (CVE-2025-68458 / GHSA-8fgc-7cc6-rx7x)
Jun 24, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
webpack's
HttpUriPlugin(experiments.buildHttp) allowedallowedUrisbypass via userinfo-embedded URLs (http://allowed@internal/path), causing build-time SSRF and untrusted content inclusion. Fixed in webpack 5.104.1.Changes
pnpm-workspace.yaml— adds workspace-level overridewebpack: ">=5.104.1"to enforce the patched floor across the whole tree.packages/autorest.gotest/package.json— addswebpack: ">=5.104.1"as an explicitdevDependency. Required because webpack was only a transitive peer dep (viats-loader/terser-webpack-plugininside@autorest/testmodeler); without an explicit consumer, pnpm's override mechanism silently skipped it.pnpm-lock.yaml— webpack now resolves to 5.107.2 everywhere;webpack@5.99.9is fully removed.Reachability Assessment
Not reachable — high confidence.
experiments.buildHttp/HttpUriPluginis not used anywhere in this repo. Webpack is a transitive build-tooling peer dep only; the patch satisfies the vulnerability scanner rather than addressing an active risk.Original prompt
This section details the Dependabot vulnerability alert you should resolve
<alert_title>webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior</alert_title>
<alert_description>### Summary
When
experiments.buildHttpis enabled, webpack’s HTTP(S) resolver (HttpUriPlugin) can be bypassed to fetch resources from hosts outsideallowedUrisby using crafted URLs that include userinfo (username:password@host). IfallowedUrisenforcement relies on a raw string prefix check (e.g.,uri.startsWith(allowed)), a URL that looks allow-listed can pass validation while the actual network request is sent to a different authority/host after URL parsing. This is a policy/allow-list bypass that enables build-time SSRF behavior (outbound requests from the build machine to internal-only endpoints, depending on network access) and untrusted content inclusion (the fetched response is treated as module source and bundled). In my reproduction, the internal response was also persisted in the buildHttp cache.Reproduced on:
Details
Root cause (high level):
allowedUrisvalidation can be performed on the raw URI string, while the actual request destination is determined later by parsing the URL (e.g.,new URL(uri)), which interprets the authority as the part after@.Example crafted URL:
http://127.0.0.1:9000@127.0.0.1:9100/secret.jsIf the allow-list is
["http://127.0.0.1:9000"], then:crafted.startsWith("http://127.0.0.1:9000")→ truenew URL()will contact):origin→http://127.0.0.1:9100(host/port after@)As a result, webpack fetches
http://127.0.0.1:9100/secret.jseven thoughallowedUrisonly includedhttp://127.0.0.1:9000.Evidence from reproduction:
[internal] 200 /secret.js served (...)(observed multiple times)PoC
This PoC is intentionally constrained to 127.0.0.1 (localhost-only “internal service”) to demonstrate SSRF behavior safely.
1) Setup
2) Create server.js
2) Create server.js