{"url":"http://public2.vulnerablecode.io/api/packages/758151?format=json","purl":"pkg:npm/webpack@5.88.2","type":"npm","namespace":"","name":"webpack","version":"5.88.2","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"5.104.1","latest_non_vulnerable_version":"5.104.1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50028?format=json","vulnerability_id":"VCID-cg66-ea2t-abdr","summary":"webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior\nWhen `experiments.buildHttp` is enabled, webpack’s HTTP(S) resolver (`HttpUriPlugin`) can be bypassed to fetch resources from **hosts outside `allowedUris`** by using crafted URLs that include **userinfo** (`username:password@host`). If `allowedUris` enforcement relies on a **raw string prefix check** (e.g., `uri.startsWith(allowed)`), a URL that *looks* allow-listed can pass validation while the actual network request is sent to a different authority/host after URL parsing. This is a **policy/allow-list bypass** that enables **build-time SSRF behavior** (outbound requests from the build machine to internal-only endpoints, depending on network access) and **untrusted content inclusion** (the fetched response is treated as module source and bundled). In my reproduction, the internal response was also persisted in the buildHttp cache.\n\nReproduced on:\n- webpack version: **5.104.0**\n- Node version: **v18.19.1**","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-68458.json","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-68458.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-68458","reference_id":"","reference_type":"","scores":[{"value":"0.00011","scoring_system":"epss","scoring_elements":"0.0151","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00011","scoring_system":"epss","scoring_elements":"0.01517","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.0243","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02486","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.0247","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-68458"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-68458","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-68458"},{"reference_url":"https://github.com/webpack/webpack","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/webpack/webpack"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127322","reference_id":"1127322","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127322"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2437209","reference_id":"2437209","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2437209"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68458","reference_id":"CVE-2025-68458","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68458"},{"reference_url":"https://github.com/advisories/GHSA-8fgc-7cc6-rx7x","reference_id":"GHSA-8fgc-7cc6-rx7x","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8fgc-7cc6-rx7x"},{"reference_url":"https://github.com/webpack/webpack/security/advisories/GHSA-8fgc-7cc6-rx7x","reference_id":"GHSA-8fgc-7cc6-rx7x","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-06T20:26:49Z/"}],"url":"https://github.com/webpack/webpack/security/advisories/GHSA-8fgc-7cc6-rx7x"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73883?format=json","purl":"pkg:npm/webpack@5.104.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/webpack@5.104.1"}],"aliases":["CVE-2025-68458","GHSA-8fgc-7cc6-rx7x"],"risk_score":1.6,"exploitability":"0.5","weighted_severity":"3.3","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cg66-ea2t-abdr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50031?format=json","vulnerability_id":"VCID-gz84-uu6f-2ubv","summary":"webpack buildHttp HttpUriPlugin allowedUris bypass via HTTP redirects → SSRF + cache persistence\nWhen `experiments.buildHttp` is enabled, webpack’s HTTP(S) resolver (`HttpUriPlugin`) enforces `allowedUris` only for the **initial** URL, but **does not re-validate `allowedUris` after following HTTP 30x redirects**. As a result, an import that appears restricted to a trusted allow-list can be redirected to **HTTP(S) URLs outside the allow-list**. This is a **policy/allow-list bypass** that enables **build-time SSRF behavior** (requests from the build machine to internal-only endpoints, depending on network access) and **untrusted content inclusion in build outputs** (redirected content is treated as module source and bundled). In my reproduction, the internal response is also persisted in the buildHttp cache.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-68157.json","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-68157.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-68157","reference_id":"","reference_type":"","scores":[{"value":"0.00011","scoring_system":"epss","scoring_elements":"0.0151","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00011","scoring_system":"epss","scoring_elements":"0.01517","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.0243","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02486","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.0247","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-68157"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-68157","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-68157"},{"reference_url":"https://github.com/webpack/webpack","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/webpack/webpack"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127322","reference_id":"1127322","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127322"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2437210","reference_id":"2437210","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2437210"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68157","reference_id":"CVE-2025-68157","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68157"},{"reference_url":"https://github.com/advisories/GHSA-38r7-794h-5758","reference_id":"GHSA-38r7-794h-5758","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-38r7-794h-5758"},{"reference_url":"https://github.com/webpack/webpack/security/advisories/GHSA-38r7-794h-5758","reference_id":"GHSA-38r7-794h-5758","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-06T19:29:04Z/"}],"url":"https://github.com/webpack/webpack/security/advisories/GHSA-38r7-794h-5758"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73889?format=json","purl":"pkg:npm/webpack@5.104.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-cg66-ea2t-abdr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/webpack@5.104.0"}],"aliases":["CVE-2025-68157","GHSA-38r7-794h-5758"],"risk_score":1.6,"exploitability":"0.5","weighted_severity":"3.3","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gz84-uu6f-2ubv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/55739?format=json","vulnerability_id":"VCID-hy2d-zvtz-5kdp","summary":"Webpack's AutoPublicPathRuntimeModule has a DOM Clobbering Gadget that leads to XSS\nWe discovered a DOM Clobbering vulnerability in Webpack’s `AutoPublicPathRuntimeModule`. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an `img` tag with an unsanitized `name` attribute) are present.\n\nWe found the real-world exploitation of this gadget in the Canvas LMS which allows XSS attack happens through an javascript code compiled by Webpack (the vulnerable part is from Webpack). We believe this is a severe issue. If Webpack’s code is not resilient to DOM Clobbering attacks, it could lead to significant security vulnerabilities in any web application using Webpack-compiled code.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-43788.json","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-43788.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-43788","reference_id":"","reference_type":"","scores":[{"value":"0.0152","scoring_system":"epss","scoring_elements":"0.81607","published_at":"2026-06-09T12:55:00Z"},{"value":"0.0152","scoring_system":"epss","scoring_elements":"0.81592","published_at":"2026-06-08T12:55:00Z"},{"value":"0.0152","scoring_system":"epss","scoring_elements":"0.81601","published_at":"2026-06-06T12:55:00Z"},{"value":"0.0152","scoring_system":"epss","scoring_elements":"0.81599","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-43788"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-43788","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-43788"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/webpack/webpack","reference_id":"","reference_type":"","scores":[{"value":"6.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H"},{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/webpack/webpack"},{"reference_url":"https://github.com/webpack/webpack/commit/955e057abc6cc83cbc3fa1e1ef67a49758bf5a61","reference_id":"","reference_type":"","scores":[{"value":"6.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H"},{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-27T18:09:32Z/"}],"url":"https://github.com/webpack/webpack/commit/955e057abc6cc83cbc3fa1e1ef67a49758bf5a61"},{"reference_url":"https://github.com/webpack/webpack/issues/18718#issuecomment-2326296270","reference_id":"","reference_type":"","scores":[{"value":"6.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H"},{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-27T18:09:32Z/"}],"url":"https://github.com/webpack/webpack/issues/18718#issuecomment-2326296270"},{"reference_url":"https://research.securitum.com/xss-in-amp4email-dom-clobbering","reference_id":"","reference_type":"","scores":[{"value":"6.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H"},{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-27T18:09:32Z/"}],"url":"https://research.securitum.com/xss-in-amp4email-dom-clobbering"},{"reference_url":"https://scnps.co/papers/sp23_domclob.pdf","reference_id":"","reference_type":"","scores":[{"value":"6.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H"},{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-27T18:09:32Z/"}],"url":"https://scnps.co/papers/sp23_domclob.pdf"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1081906","reference_id":"1081906","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1081906"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2308193","reference_id":"2308193","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2308193"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-43788","reference_id":"CVE-2024-43788","reference_type":"","scores":[{"value":"6.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H"},{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-43788"},{"reference_url":"https://github.com/advisories/GHSA-4vvj-4cpr-p986","reference_id":"GHSA-4vvj-4cpr-p986","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4vvj-4cpr-p986"},{"reference_url":"https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986","reference_id":"GHSA-4vvj-4cpr-p986","reference_type":"","scores":[{"value":"6.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-27T18:09:32Z/"}],"url":"https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:10214","reference_id":"RHSA-2024:10214","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:10214"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:10906","reference_id":"RHSA-2024:10906","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:10906"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:7706","reference_id":"RHSA-2024:7706","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:7706"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:7724","reference_id":"RHSA-2024:7724","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:7724"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:7725","reference_id":"RHSA-2024:7725","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:7725"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:7726","reference_id":"RHSA-2024:7726","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:7726"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:8014","reference_id":"RHSA-2024:8014","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:8014"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:8023","reference_id":"RHSA-2024:8023","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:8023"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:8113","reference_id":"RHSA-2024:8113","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:8113"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:8676","reference_id":"RHSA-2024:8676","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:8676"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:0323","reference_id":"RHSA-2025:0323","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:0323"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/82478?format=json","purl":"pkg:npm/webpack@5.94.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-cg66-ea2t-abdr"},{"vulnerability":"VCID-gz84-uu6f-2ubv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/webpack@5.94.0"}],"aliases":["CVE-2024-43788","GHSA-4vvj-4cpr-p986"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hy2d-zvtz-5kdp"}],"fixing_vulnerabilities":[],"risk_score":"3.1","resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/webpack@5.88.2"}