Windows PowerShell 5.1 now displays a security confirmation prompt when using the Invoke-WebRequest command to fetch web pages without special parameters.
Security Warning: Script Execution Risk Invoke-WebRequest parses the content of the web page. Script code in the web page might be run when the page is parsed.
RECOMMENDED ACTION: Use the -UseBasicParsing switch to avoid script code execution.
Do you want to continue?
This prompt warns that scripts in the page could run during parsing and advises using the -UseBasicParsing parameter to avoid any script execution. Users must choose to continue or cancel the operation. This change helps protect against malicious web content by requiring user consent before potentially risky actions.
PowerShell's Invoke-WebRequest command makes an HTTP or HTTPS request to a web server and returns the results. This article documents a hardening change where Windows PowerShell 5.1 intentionally displays a security confirmation prompt when using the Invoke-WebRequest command to fetch web pages without special parameters. This behavior occurs after supported Windows clients and servers have installed Windows Updates released on and after December 9, 2025. For more information, see CVE-2025-54100.
What Changed?
Previous behavior
Full Document Object Model (DOM) parsing using Internet Explorer components (HTMLDocument Interface (mshtml)), which could execute scripts from downloaded content.
New behavior
Security Confirmation Prompt: After installing the Windows updates released on or after December 9, 2025, running the Invoke-WebRequest command (also known as curl) in PowerShell 5.1 will trigger a security prompt (when no special parameter is used). The prompt appears in the PowerShell console with a warning about Script Execution Risk.
This means PowerShell is pausing to warn you that without precautions, the web page script content could execute on your system when it is processed. By default, if you press Enter (or choose No), the operation will be canceled for safety. PowerShell will show a message that it was canceled due to security concerns, and suggests re-running the command by using the -UseBasicParsing parameter for safe processing. If you choose Yes, PowerShell will proceed to parse the page using the older method (full HTML parsing), meaning it will load the content and any embedded scripts as it used to. Essentially, choosing Yes means you are accepting the risk and allowing the command to run as it did before, while choosing No (the default) stops the action to protect you.
Interactive vs. Scripted Use: The introduction of this prompt primarily affects interactive usage. In interactive sessions, you will see the warning and have to respond. For automated scripts (non-interactive scenarios such as scheduled tasks or CI pipelines), this prompt could cause the script to hang waiting for input. To avoid that, we recommend updating such scripts to explicitly use safe parameters (see below), ensuring they do not require manual confirmation.
Added the "Security Warning" to the "Summary" section.
Added the following paragraph to the "Summary" section for clarity:
PowerShell's Invoke-WebRequest command makes an HTTP or HTTPS request to a web server and returns the results. This article documents a hardening change where Windows PowerShell 5.1 intentionally displays a security confirmation prompt when using the Invoke-WebRequest command to fetch web pages without special parameters. This behavior occurs after supported Windows clients and servers have installed install Windows Updates released on and after December 9, 2025. For more information, see CVE-2025-54100.
Added the following bullet points to "For automated scripts or scheduled tasks" in Option 1 of the "Take action" section.
For scripts that run with the no-profile option: If the script has many occurrences of the Invoke-WebRequest calls, declare $PSDefaultParameterValues['Invoke-WebRequest:UseBasicParsing'] = $true at the top of the script.
When Invoke-WebRequest is used with the -UseBasicParsing parameter, Full Document Object Model (DOM) parsing using Internet Explorer components (HTMLDocument Interface (mshtml)) is not possible.
Added the following bullet point to the "Modernize your approach to web interactions" bullet point of Option 2 in the "Take action" section.
Invoke-Webrequest in Powershell Core (version 7.x or later) does not support DOM parsing using Internet Explorer components. Its default parsing will safely retrieve the content without script execution.
