CVSS Score: 6.5 Published: 2026-02-12 Full Report: https://cvereports.com/reports/CVE-2025-56647
A critical flaw in the @farmfe/core build tool allows remote attackers to siphon source code directly from a developer's machine via Cross-Site WebSocket Hijacking (CSWSH). By failing to validate the Origin header during Hot Module Replacement (HMR) negotiation, Farm permits any website visited by a developer to connect to their local dev server and listen for code updates.
The Farm build tool (versions < 1.7.6) leaves its HMR WebSocket wide open. If a developer visits a malicious site while their dev server is running, the site can connect to localhost, hijack the WebSocket, and steal source code in real-time as the developer saves files.
- CWE ID: CWE-1385 (Missing Origin Validation in WebSockets)
- Attack Vector: Network (via Browser CSWSH)
- CVSS: 6.5 (Medium)
- EPSS Score: 0.00015
- Impact: Confidentiality (High)
- Exploit Status: PoC Available
- @farmfe/core npm package
- @farmfe/core: < 1.7.6 (Fixed in:
1.7.6)
- Upgrade to @farmfe/core v1.7.6+
- Isolate development environments in containers
- Implement strict Origin validation in all WebSocket servers
Remediation Steps:
- Check the installed version of @farmfe/core using
npm list @farmfe/core. - If the version is below 1.7.6, update immediately via
npm update @farmfe/core. - Verify the fix by inspecting network traffic during HMR; ensure connections with arbitrary Origins are rejected.
- GitHub Issue: Information Disclosure by Farm's Dev Server
- CWE-1385: Missing Origin Validation in WebSockets
Generated by CVEReports - Automated Vulnerability Intelligence