Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior
Vulnerability Description
Webpack is a module bundler. From version 5.49.0 to before 5.104.1, when experiments.buildHttp is enabled, webpack’s HTTP(S) resolver (HttpUriPlugin) can be bypassed to fetch resources from hosts outside allowedUris by using crafted URLs that include userinfo (username:password@host). If allowedUris enforcement relies on a raw string prefix check (e.g., uri.startsWith(allowed)), a URL that looks allow-listed can pass validation while the actual network request is sent to a different authority/host after URL parsing. This is a policy/allow-list bypass that enables build-time SSRF behavior (outbound requests from the build machine to internal-only endpoints, depending on network access) and untrusted content inclusion (the fetched response is treated as module source and bundled). This issue has been patched in version 5.104.1.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N
Vulnerability Type
服务端请求伪造(SSRF)
Vulnerability Title
Webpack 代码问题漏洞
Vulnerability Description
Webpack是Webpack开源的一个模块打包器。它的主要目的是捆绑 JavaScript 文件以便在浏览器中使用,但它也能够转换、捆绑或打包几乎任何资源或资产。 Webpack 5.49.0至5.104.1之前版本存在代码问题漏洞,该漏洞源于当启用experiments.buildHttp时,可通过使用包含用户信息的特制URL绕过HTTP(S)解析器以从允许列表外的主机获取资源,可能导致策略或允许列表绕过,从而在构建时引发服务端请求伪造行为。
CVSS Information
N/A
Vulnerability Type
N/A