Webpack HttpUriPlugin Policy Bypass Vulnerability Allowing Build-Time SSRF

A policy bypass vulnerability has been identified in Webpack versions 5.49.0 prior to 5.104.1, when the 'experiments.buildHttp' feature is enabled. This vulnerability allows the HTTP(S) resolver, known as 'HttpUriPlugin', to be bypassed, enabling the fetching of resources from hosts outside the specified 'allowedUris'. The bypass is achieved by crafting URLs that include userinfo (username:password@host), which can manipulate the actual request destination after URL parsing. This flaw can lead to build-time Server-Side Request Forgery (SSRF) behavior, where outbound requests from the build machine are sent to internal-only endpoints, depending on network access. Additionally, it allows for the inclusion of untrusted content, as the fetched response is treated as module source and bundled into the final output.

Impact

Exploitation of this vulnerability can cause unauthorized access to internal-only services via SSRF, potentially leading to leakage of sensitive information or disruption of services. Furthermore, the inclusion of untrusted content in the build process could contaminate the supply chain by introducing malicious code into the application.

Reproduction

To reproduce this vulnerability, create a Webpack project and enable the 'experiments.buildHttp' feature with a crafted URL that includes userinfo, bypassing the 'allowedUris' validation. When the bundle is processed, Webpack will fetch the internal resource, demonstrating the SSRF behavior and the inclusion of sensitive information in the output.

Remediation

Users can update Webpack to version 5.104.1 or later, where this vulnerability has been patched.