CVE-2025-56647 MEDIUM

CVE-2025-56647

Vendor N/A
Product n/a
Published February 12, 2026
Last update February 12, 2026

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AC:L/AV:N/A:N/C:H/I:N/PR:N/S:U/UI:R

What the vulnerability does

01Description

npm @farmfe/core before 1.7.6 is Missing Origin Validation in WebSocket. The development (hot module reloading) server does not validate origin when connecting to a WebSocket client. This allows attackers to surveil developers running Farm who visit their webpage and steal source code that is leaked by the WebSocket server.

Key dates

02Disclosure timeline

February 12, 2026 CVE published
February 12, 2026 Record updated