Medium severity6.5NVD Advisory· Published Feb 12, 2026· Updated Apr 15, 2026
CVE-2025-56647
CVE-2025-56647
Description
npm @farmfe/core before 1.7.6 is Missing Origin Validation in WebSocket. The development (hot module reloading) server does not validate origin when connecting to a WebSocket client. This allows attackers to surveil developers running Farm who visit their webpage and steal source code that is leaked by the WebSocket server.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@farmfe/corenpm | < 1.7.6 | 1.7.6 |
Affected products
1Patches
26f28e623df3bVersion Packages (#2186)
22 files changed · +60 −39
bench/CHANGELOG.md+8 −0 modified@@ -1,5 +1,13 @@ # bench +## 1.0.47 + +### Patch Changes + +- Updated dependencies [83342ef0] +- Updated dependencies [c7bcfa0f] + - @farmfe/core@1.7.6 + ## 1.0.46 ### Patch Changes
bench/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "bench", - "version": "1.0.46", + "version": "1.0.47", "private": true, "description": "", "scripts": {},
.changeset/cyan-ligers-hammer.md+0 −5 removed@@ -1,5 +0,0 @@ ---- -"@farmfe/cli": patch ---- - -Fix #2176 `--base` does not work
.changeset/floppy-tires-worry.md+0 −7 removed@@ -1,7 +0,0 @@ ---- -"@farmfe/core": patch ---- - -Added origin validation to HMR server - -BREAKING CHANGE: The HMR server now rejects all connections with unrecognized `Origin` headers. Clients need to update their configured ports and hosts if they want external apps to be able to connect to the HMR server.
.changeset/witty-plants-fly.md+0 −5 removed@@ -1,5 +0,0 @@ ---- -"@farmfe/core": patch ---- - -Fix #2188 lazy compilation should respect publicPath
examples/import-meta/package.json+1 −1 modified@@ -12,7 +12,7 @@ "author": "", "license": "ISC", "devDependencies": { - "@farmfe/cli": "^1.0.4", + "@farmfe/cli": "^1.0.5", "@farmfe/core": "workspace:*" } }
examples/tailwind-next/CHANGELOG.md+6 −0 modified@@ -1,5 +1,11 @@ # @farmfe-examples/tailwind-next +## 0.0.16 + +### Patch Changes + +- @farmfe/js-plugin-tailwindcss@0.0.15 + ## 0.0.15 ### Patch Changes
examples/tailwind-next/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@farmfe-examples/tailwind-next", - "version": "0.0.15", + "version": "0.0.16", "private": true, "dependencies": { "@farmfe/js-plugin-tailwindcss": "workspace:^",
examples/vite-adapter-svelte/package.json+1 −1 modified@@ -11,7 +11,7 @@ "check": "svelte-check --tsconfig ./tsconfig.json" }, "devDependencies": { - "@farmfe/cli": "^1.0.4", + "@farmfe/cli": "^1.0.5", "@farmfe/core": "workspace:*", "@sveltejs/vite-plugin-svelte": "^4", "@tsconfig/svelte": "^5.0.2",
js-plugins/less/package.json+2 −2 modified@@ -40,13 +40,13 @@ "license": "MIT", "devDependencies": { "@farmfe/cli": "workspace:*", - "@farmfe/core": "workspace:^1.7.3", + "@farmfe/core": "workspace:^1.7.6", "@farmfe/js-plugin-dts": "workspace:^", "@types/less": "^3.0.3", "less": "^4.1.3" }, "peerDependencies": { - "@farmfe/core": "workspace:^1.7.3", + "@farmfe/core": "workspace:^1.7.6", "less": "^3.5.0 || ^4.0.0" } }
js-plugins/postcss/package.json+1 −1 modified@@ -51,7 +51,7 @@ "postcss-url": "^10.1.3" }, "peerDependencies": { - "@farmfe/core": "workspace:^1.7.5", + "@farmfe/core": "workspace:^1.7.6", "postcss": ">=8.0.0" } }
js-plugins/sass/package.json+2 −2 modified@@ -46,13 +46,13 @@ "license": "MIT", "devDependencies": { "@farmfe/cli": "workspace:*", - "@farmfe/core": "workspace:^1.7.3", + "@farmfe/core": "workspace:^1.7.6", "@farmfe/js-plugin-dts": "workspace:*", "sass": "^1.74.1", "sass-embedded": "^1.74.1" }, "peerDependencies": { - "@farmfe/core": "workspace:^1.7.3", + "@farmfe/core": "workspace:^1.7.6", "sass": "^1.3.0", "sass-embedded": "*" }
js-plugins/solid/package.json+1 −1 modified@@ -41,7 +41,7 @@ "solid-js": "^1.7.8" }, "peerDependencies": { - "@farmfe/core": "workspace:^1.7.5" + "@farmfe/core": "workspace:^1.7.6" }, "files": [ "build"
js-plugins/svgr/package.json+2 −2 modified@@ -40,14 +40,14 @@ "license": "MIT", "devDependencies": { "@farmfe/cli": "workspace:*", - "@farmfe/core": "workspace:^1.7.3", + "@farmfe/core": "workspace:^1.7.6", "@farmfe/js-plugin-dts": "workspace:^" }, "dependencies": { "@svgr/core": "^8.1.0", "@svgr/plugin-jsx": "^8.1.0" }, "peerDependencies": { - "@farmfe/core": "workspace:^1.7.3" + "@farmfe/core": "workspace:^1.7.6" } }
js-plugins/tailwindcss/CHANGELOG.md+8 −0 modified@@ -1,5 +1,13 @@ # @farmfe/js-plugin-tailwindcss +## 0.0.15 + +### Patch Changes + +- Updated dependencies [83342ef0] +- Updated dependencies [c7bcfa0f] + - @farmfe/core@1.7.6 + ## 0.0.14 ### Patch Changes
js-plugins/tailwindcss/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@farmfe/js-plugin-tailwindcss", - "version": "0.0.14", + "version": "0.0.15", "description": "support tailwindcss for farm.", "type": "module", "main": "./dist/index.js",
js-plugins/vue/package.json+1 −1 modified@@ -52,7 +52,7 @@ "source-map": "^0.7.4" }, "peerDependencies": { - "@farmfe/core": "workspace:^1.7.5", + "@farmfe/core": "workspace:^1.7.6", "less": "*", "sass": "*", "stylus": "*"
packages/cli/CHANGELOG.md+6 −0 modified@@ -1,5 +1,11 @@ # @farmfe/cli +## 1.0.5 + +### Patch Changes + +- c7bcfa0f: Fix #2176 `--base` does not work + ## 1.0.4 ### Patch Changes
packages/cli/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@farmfe/cli", - "version": "1.0.4", + "version": "1.0.5", "description": "CLI of Farm", "type": "module", "author": {
packages/core/CHANGELOG.md+10 −0 modified@@ -1,5 +1,15 @@ # @farmfe/core +## 1.7.6 + +### Patch Changes + +- 83342ef0: Added origin validation to HMR server + + BREAKING CHANGE: The HMR server now rejects all connections with unrecognized `Origin` headers. Clients need to update their configured ports and hosts if they want external apps to be able to connect to the HMR server. + +- c7bcfa0f: Fix #2188 lazy compilation should respect publicPath + ## 1.7.5 ### Patch Changes
packages/core/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@farmfe/core", - "version": "1.7.5", + "version": "1.7.6", "main": "dist/index.js", "types": "dist/index.d.ts", "type": "module",
pnpm-lock.yaml+6 −6 modified@@ -478,7 +478,7 @@ importers: examples/import-meta: devDependencies: '@farmfe/cli': - specifier: ^1.0.4 + specifier: ^1.0.5 version: link:../../packages/cli '@farmfe/core': specifier: workspace:* @@ -1096,7 +1096,7 @@ importers: optionalDependencies: '@tsconfig/create-react-app': specifier: latest - version: 2.0.5 + version: 2.0.6 abort-controller: specifier: latest version: 3.0.0 @@ -1802,7 +1802,7 @@ importers: examples/vite-adapter-svelte: devDependencies: '@farmfe/cli': - specifier: ^1.0.4 + specifier: ^1.0.5 version: link:../../packages/cli '@farmfe/core': specifier: workspace:* @@ -6362,8 +6362,8 @@ packages: '@ts-morph/common@0.24.0': resolution: {integrity: sha512-c1xMmNHWpNselmpIqursHeOHHBTIsJLbB+NuovbTTRCNiTLEr/U9dbJ8qy0jd/O2x5pc3seWuOUN5R2IoOTp8A==} - '@tsconfig/create-react-app@2.0.5': - resolution: {integrity: sha512-NiXzSMJabQtVTPwFmBWX+eyee2dfhRSnQ6NNbtCZfXemGxOq+N0+RMPVYu+sz6riUZANHTnvvHoS1k87ksyDXg==} + '@tsconfig/create-react-app@2.0.6': + resolution: {integrity: sha512-yiuwTQE6/FDhVZgrSONRaSWRhMvY9dR/R7F+vycxNzbjloO2YdOphrVCvoYuNJq/M6QMxpJhjN62Whc05qQBag==} '@tsconfig/node10@1.0.9': resolution: {integrity: sha512-jNsYVVxU8v5g43Erja32laIDHXeoNvFEpX33OK4d6hljo3jDhCBDhx5dhCCTMWUojscpAagGiRkBKxpdl9fxqA==} @@ -22737,7 +22737,7 @@ snapshots: mkdirp: 3.0.1 path-browserify: 1.0.1 - '@tsconfig/create-react-app@2.0.5': + '@tsconfig/create-react-app@2.0.6': optional: true '@tsconfig/node10@1.0.9': {}
83342ef06e0afix(core): Add origin check to the HMR server (#2173)
2 files changed · +35 −1
.changeset/floppy-tires-worry.md+7 −0 added@@ -0,0 +1,7 @@ +--- +"@farmfe/core": patch +--- + +Added origin validation to HMR server + +BREAKING CHANGE: The HMR server now rejects all connections with unrecognized `Origin` headers. Clients need to update their configured ports and hosts if they want external apps to be able to connect to the HMR server.
packages/core/src/server/ws.ts+28 −1 modified@@ -45,16 +45,39 @@ export default class WsServer implements IWebSocketServer { public clientsMap = new WeakMap<WebSocketRawType, WebSocketClient>(); public bufferedError: any = null; public logger: ILogger; + private hmrOrigins: string[]; constructor( private httpServer: Server, private config: NormalizedServerConfig, private hmrEngine: HmrEngine, logger?: ILogger ) { this.logger = logger ?? new Logger(); + this.hmrOrigins = this.generateHMROrigins(config); this.createWebSocketServer(); } + private generateHMROrigins(config: NormalizedServerConfig): string[] { + const { protocol, hostname, port } = config; + const origins = []; + + // Add localhost with configured port + origins.push(`${protocol}://localhost:${port}`); + origins.push(`${protocol}://127.0.0.1:${port}`); + + // Add non-localhost origin + if ( + hostname && + hostname.name && + hostname.name !== 'localhost' && + hostname.name !== '127.0.0.1' + ) { + origins.push(`${protocol}://${hostname.name}:${port}`); + } + + return origins; + } + private createWebSocketServer() { try { const WebSocketServer = process.versions.bun @@ -77,6 +100,9 @@ export default class WsServer implements IWebSocketServer { ) { if (this.isHMRRequest(request)) { this.handleHMRUpgrade(request, socket, head); + } else { + // Close the connection so as to avoid unnecessary system resource utilization + socket.destroy(); } } @@ -116,7 +142,8 @@ export default class WsServer implements IWebSocketServer { private isHMRRequest(request: IncomingMessage): boolean { return ( request.url === this.config.hmr.path && - request.headers['sec-websocket-protocol'] === HMR_HEADER + request.headers['sec-websocket-protocol'] === HMR_HEADER && + this.hmrOrigins.includes(request.headers['origin']) ); }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5News mentions
0No linked articles in our index yet.