CVE-2025-56647

CVSS 6.5 MEDIUMEPSS 0.2%CWE-1385

In short

The Farm development server doesn't check where WebSocket connections come from, allowing attackers to spy on developers and steal their source code through fake web pages.

Technical detail

Missing origin validation in the WebSocket server used for hot module reloading (HMR) in @farmfe/core before 1.7.6 allows cross-origin WebSocket connections. An attacker can serve a malicious webpage to a developer, establish an unauthorized WebSocket connection to the HMR server, and intercept source code transmitted over the unvalidated channel.

Summary generated and translated by AI from the official description.

npm @farmfe/core before 1.7.6 is Missing Origin Validation in WebSocket. The development (hot module reloading) server does not validate origin when connecting to a WebSocket client. This allows attackers to surveil developers running Farm who visit their webpage and steal source code that is leaked by the WebSocket server.

CVSS:3.1/AC:L/AV:N/A:N/C:H/I:N/PR:N/S:U/UI:R

Affected products

n/a · n/a

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://gist.github.com/R4356th/d4372c6f83275d583c180c0e7d7332af https://github.com/farm-fe/farm/commit/83342ef06e0aea37270950fd8c930422c4df0679 https://github.com/farm-fe/farm/issues/2168