Vulnerability	Vulnerable Version
L Server-side Request Forgery (SSRF) Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the `HttpUriPlugin` component when HTTP redirects are followed without re-validating the allowed URIs. An attacker can cause unauthorized network requests to internal services and inclusion of untrusted content in build outputs by manipulating import URLs to trigger redirects outside the intended allow-list. Note: This is only exploitable if `experiments.buildHttp` is enabled. How to fix Server-side Request Forgery (SSRF)? Upgrade `webpack` to version 5.104.0 or higher.	>=5.49.0 <5.104.0
L Server-side Request Forgery (SSRF) Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the `HttpUriPlugin` component. An attacker can cause unauthorized outbound requests to internal or otherwise restricted endpoints and include untrusted content in build outputs by crafting URLs with userinfo components that bypass allow-list validation. Note: This is only exploitable if `experiments.buildHttp` is enabled. How to fix Server-side Request Forgery (SSRF)? Upgrade `webpack` to version 5.104.1 or higher.	>=5.49.0 <5.104.1

Server-side Request Forgery (SSRF)

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the HttpUriPlugin component when HTTP redirects are followed without re-validating the allowed URIs. An attacker can cause unauthorized network requests to internal services and inclusion of untrusted content in build outputs by manipulating import URLs to trigger redirects outside the intended allow-list.

Note:

This is only exploitable if experiments.buildHttp is enabled.

How to fix Server-side Request Forgery (SSRF)?

Upgrade webpack to version 5.104.0 or higher.

>=5.49.0 <5.104.0

Server-side Request Forgery (SSRF)

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the HttpUriPlugin component. An attacker can cause unauthorized outbound requests to internal or otherwise restricted endpoints and include untrusted content in build outputs by crafting URLs with userinfo components that bypass allow-list validation.

Note:

This is only exploitable if experiments.buildHttp is enabled.

How to fix Server-side Request Forgery (SSRF)?

Upgrade webpack to version 5.104.1 or higher.

>=5.49.0 <5.104.1

Go back to all versions of this package