Translated from the original Japanese article
Tech 2 min read
CVE-2025-54100: Remote Code Execution in PowerShell's `Invoke-WebRequest`
Contents
The December 2025 Patch Tuesday included a fix for a Windows PowerShell remote code execution vulnerability, CVE-2025-54100.
Overview
| Item | Details |
|---|---|
| CVE | CVE-2025-54100 |
| Severity | Important (CVSS 7.8) |
| Type | Command injection / remote code execution |
| Affected platforms | Windows 10/11, Windows Server 2008 through 2025 |
| Disclosure date | December 9, 2025 |
What the Vulnerability Was
The Invoke-WebRequest cmdlet could execute scripts embedded in a web page when fetching that page.
If an attacker prepared a malicious web page and the user fetched it with PowerShell, arbitrary code could run in the user’s security context.
# This kind of command would be dangerous against a malicious page
Invoke-WebRequest -Uri "https://malicious-site.example.com/page"Behavior After the Patch
After the fix, Invoke-WebRequest shows a confirmation prompt if DOM parsing might execute a script.
Confirm
The requested operation may cause DOM parsing that could execute scripts found in the web page.
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "N"):The default is No, so the operation is canceled unless the user explicitly confirms it.
Workaround
To prevent script execution, use the -UseBasicParsing switch.
# Safe approach
Invoke-WebRequest -Uri "https://example.com" -UseBasicParsingWith -UseBasicParsing, PowerShell does not perform full DOM parsing, so embedded scripts are not executed.
Fixes
| Target OS | KB number |
|---|---|
| Windows 11 24H2/25H2, Server 2025 | KB5074204 |
| Windows Server 2022 | KB5072033 |
| Windows 10 and earlier | KB5072077 |