DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2025-56647: Harvesting Your Code: The Farm Dev Server CSWSH Exploit

#security #cve #cybersecurity

Harvesting Your Code: The Farm Dev Server CSWSH Exploit

Vulnerability ID: CVE-2025-56647
CVSS Score: 6.5
Published: 2026-02-12

A critical flaw in the @farmfe/core build tool allows remote attackers to siphon source code directly from a developer's machine via Cross-Site WebSocket Hijacking (CSWSH). By failing to validate the Origin header during Hot Module Replacement (HMR) negotiation, Farm permits any website visited by a developer to connect to their local dev server and listen for code updates.

TL;DR

The Farm build tool (versions < 1.7.6) leaves its HMR WebSocket wide open. If a developer visits a malicious site while their dev server is running, the site can connect to localhost, hijack the WebSocket, and steal source code in real-time as the developer saves files.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-1385 (Missing Origin Validation in WebSockets)
  • Attack Vector: Network (via Browser CSWSH)
  • CVSS: 6.5 (Medium)
  • EPSS Score: 0.00015
  • Impact: Confidentiality (High)
  • Exploit Status: PoC Available

Affected Systems

  • @farmfe/core npm package
  • @farmfe/core: < 1.7.6 (Fixed in: 1.7.6)

Code Analysis

Commit: 83342ef

fix(core): Add origin check to the HMR server

Modified packages/core/src/server/ws.ts to include Origin header validation in isHMRRequest
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • GitHub Issue #2168: Original report detailing the lack of origin validation in HMR
  • Internal PoC: Browser-based JS payload to connect to localhost:9000 and log messages

Mitigation Strategies

  • Upgrade to @farmfe/core v1.7.6+
  • Isolate development environments in containers
  • Implement strict Origin validation in all WebSocket servers

Remediation Steps:

  1. Check the installed version of @farmfe/core using npm list @farmfe/core.
  2. If the version is below 1.7.6, update immediately via npm update @farmfe/core.
  3. Verify the fix by inspecting network traffic during HMR; ensure connections with arbitrary Origins are rejected.

References

Read the full report for CVE-2025-56647 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)