npm package
webpack
pkg:npm/webpack
Vulnerabilities (4)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-68157 | — | >= 5.49.0, < 5.104.0 | 5.104.0 | Feb 5, 2026 | Webpack is a module bundler. From version 5.49.0 to before 5.104.0, when experiments.buildHttp is enabled, webpack’s HTTP(S) resolver (HttpUriPlugin) enforces allowedUris only for the initial URL, but does not re-validate allowedUris after following HTTP 30x redirects. As a resul | ||
| CVE-2025-68458 | — | >= 5.49.0, < 5.104.1 | 5.104.1 | Feb 5, 2026 | Webpack is a module bundler. From version 5.49.0 to before 5.104.1, when experiments.buildHttp is enabled, webpack’s HTTP(S) resolver (HttpUriPlugin) can be bypassed to fetch resources from hosts outside allowedUris by using crafted URLs that include userinfo (username:password@h | ||
| CVE-2024-43788 | — | >= 5.0.0-alpha.0, < 5.94.0 | 5.94.0 | Aug 27, 2024 | Webpack is a module bundler. Its main purpose is to bundle JavaScript files for usage in a browser, yet it is also capable of transforming, bundling, or packaging just about any resource or asset. The webpack developers have discovered a DOM Clobbering vulnerability in Webpack’s | ||
| CVE-2023-28154 | — | >= 5.0.0, < 5.76.0 | 5.76.0 | Mar 13, 2023 | Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object. |
- CVE-2025-68157Feb 5, 2026affected >= 5.49.0, < 5.104.0fixed 5.104.0
Webpack is a module bundler. From version 5.49.0 to before 5.104.0, when experiments.buildHttp is enabled, webpack’s HTTP(S) resolver (HttpUriPlugin) enforces allowedUris only for the initial URL, but does not re-validate allowedUris after following HTTP 30x redirects. As a resul
- CVE-2025-68458Feb 5, 2026affected >= 5.49.0, < 5.104.1fixed 5.104.1
Webpack is a module bundler. From version 5.49.0 to before 5.104.1, when experiments.buildHttp is enabled, webpack’s HTTP(S) resolver (HttpUriPlugin) can be bypassed to fetch resources from hosts outside allowedUris by using crafted URLs that include userinfo (username:password@h
- CVE-2024-43788Aug 27, 2024affected >= 5.0.0-alpha.0, < 5.94.0fixed 5.94.0
Webpack is a module bundler. Its main purpose is to bundle JavaScript files for usage in a browser, yet it is also capable of transforming, bundling, or packaging just about any resource or asset. The webpack developers have discovered a DOM Clobbering vulnerability in Webpack’s
- CVE-2023-28154Mar 13, 2023affected >= 5.0.0, < 5.76.0fixed 5.76.0
Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.