CVE-2025-56647

MEDIUM

6.5

Descricao

npm @farmfe/core before 1.7.6 is Missing Origin Validation in WebSocket. The development (hot module reloading) server does not validate origin when connecting to a WebSocket client. This allows attackers to surveil developers running Farm who visit their webpage and steal source code that is leaked by the WebSocket server.

Detalhes CVE

Pontuacao CVSS v3.16.5

SeveridadeMEDIUM

Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Vetor de ataqueNETWORK

ComplexidadeLOW

Privilegios necessariosNONE

Interacao do usuarioREQUIRED

Publicado2/12/2026

Ultima modificacao2/13/2026

Fontenvd

Avistamentos honeypot0

Fraquezas (CWE)

CWE-1385

Referencias

https://gist.github.com/R4356th/d4372c6f83275d583c180c0e7d7332af(cve@mitre.org)

https://github.com/farm-fe/farm/commit/83342ef06e0aea37270950fd8c930422c4df0679(cve@mitre.org)

https://github.com/farm-fe/farm/issues/2168(cve@mitre.org)

Correlacoes IOC

Sem correlacoes registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.