Browse all 6 CVE security advisories affecting webpack. AI-powered Chinese analysis, POCs, and references for each vulnerability.
Webpack is a JavaScript module bundler primarily used for compiling and packaging web application assets. Historically, it has been susceptible to remote code execution (RCE) and cross-site scripting (XSS) vulnerabilities, often through improper handling of user input or malicious plugins. Notable security characteristics include its complex configuration system which can introduce misconfiguration risks. The project has addressed several critical vulnerabilities, including those allowing attackers to execute arbitrary code via crafted module requests. With six CVEs on record, security remains a concern, particularly in legacy versions where default configurations may expose applications to unnecessary risks.
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2025-68157 | webpack buildHttp HttpUriPlugin allowedUris bypass via HTTP redirects — webpackCWE-918 | 3.7 | Low | 2026-02-05 |
| CVE-2025-68458 | webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior — webpackCWE-918 | 3.7 | Low | 2026-02-05 |
| CVE-2024-43788 | DOM Clobbering Gadget found in Webpack's AutoPublicPathRuntimeModule that leads to Cross-site Scripting (XSS) — webpackCWE-79 | 6.4 | Medium | 2024-08-27 |
This page lists every published CVE security advisory associated with webpack. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.