CVE-2025-56647: @farmfe/core is Missing Origin Validation in WebSocket

February 12, 2026

npm @farmfe/core before 1.7.6 is Missing Origin Validation in WebSocket. The development (hot module reloading) server does not validate origin when connecting to a WebSocket client. This allows attackers to surveil developers running Farm who visit their webpage and steal source code that is leaked by the WebSocket server.

References

gist.github.com/R4356th/d4372c6f83275d583c180c0e7d7332af
github.com/advisories/GHSA-p773-8mf4-rjm5
github.com/farm-fe/farm
github.com/farm-fe/farm/commit/83342ef06e0aea37270950fd8c930422c4df0679
github.com/farm-fe/farm/issues/2168
nvd.nist.gov/vuln/detail/CVE-2025-56647

Code Behaviors & Features

Detect and mitigate CVE-2025-56647 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →