Skip to content

Commit aef5e73

Browse files
sdwheelersdwheeler
authored
Document breaking change from CVE (#12587) (#12588)
1 parent d231e6d commit aef5e73

File tree

1 file changed

+24
-3
lines changed

1 file changed

+24
-3
lines changed

reference/5.1/Microsoft.PowerShell.Utility/Invoke-WebRequest.md

Lines changed: 24 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
external help file: Microsoft.PowerShell.Commands.Utility.dll-Help.xml
33
Locale: en-US
44
Module Name: Microsoft.PowerShell.Utility
5-
ms.date: 10/29/2025
5+
ms.date: 12/16/2025
66
online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-5.1&WT.mc_id=ps-gethelp
77
schema: 2.0.0
88
aliases:
@@ -39,8 +39,29 @@ This cmdlet was introduced in Windows PowerShell 3.0.
3939

4040
> [!WARNING]
4141
> By default, `Invoke-WebRequest` parses the content of the web page. Script code in the web page
42-
> might be run when the page is parsed. Use the `-UseBasicParsing` switch to avoid script code
43-
> execution.
42+
> might be run when the page is parsed. On **December 9, 2025**, Microsoft released a security
43+
> update for [CVE-2025-54100](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-54100)
44+
> that changes the default behavior of `Invoke-WebRequest`. After you install the updates, when you
45+
> use the `Invoke-WebRequest` command you see the following confirmation prompt with security
46+
> warning of script execution risk:
47+
>
48+
> ```
49+
> Security Warning: Script Execution Risk
50+
> Invoke-WebRequest parses the content of the web page. Script code in the web page might be
51+
> run when the page is parsed.
52+
> RECOMMENDED ACTION:
53+
> Use the -UseBasicParsing switch to avoid script code execution.
54+
> Do you want to continue?
55+
> ```
56+
>
57+
> To avoid the confirmation prompt, you must use the **UseBasicParsing** parameter. There is no way
58+
> to bypass this prompt without using the **UseBasicParsing** parameter. If you answer "Y" to the
59+
> prompt, the command runs with full parsing of the web page content, which could run script code in
60+
> the web page.
61+
>
62+
> For more information about this security update, see
63+
> [PowerShell 5.1: Preventing script execution from web content](https://support.microsoft.com/KB/5074596).
64+
4465
4566
This command can be run using the `iwr`, `curl`, or `wget` aliases.
4667

0 commit comments

Comments
 (0)