CVE-2025-56647Missing Origin Validation in WebSockets in Core

CWE-1385Missing Origin Validation in WebSockets5 documents5 sources
Severity
6.5MEDIUMNVD
EPSS
0.0%
top 99.68%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
14
Farmfe CoreMsrc Azl3 Kernel 6.6.104.2-4 ON Azure Linux 3.0Msrc Azl3 Kernel 6.6.112.1-2 ON Azure Linux 3.0+11 more
Timeline
PublishedFeb 12

Description

npm @farmfe/core before 1.7.6 is Missing Origin Validation in WebSocket. The development (hot module reloading) server does not validate origin when connecting to a WebSocket client. This allows attackers to surveil developers running Farm who visit their webpage and steal source code that is leaked by the WebSocket server.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages14 packages

npmfarmfe/core< 1.7.6

🔴Vulnerability Details

2
OSV
@farmfe/core is Missing Origin Validation in WebSocket2026-02-12
GHSA
@farmfe/core is Missing Origin Validation in WebSocket2026-02-12

📋Vendor Advisories

1
Microsoft
net: Fix icmp host relookup triggering ip_rt_bug2024-12-10

🕵️Threat Intelligence

1
Wiz
CVE-2025-56647 Impact, Exploitability, and Mitigation Steps | Wiz