diff --git a/advisories/github-reviewed/2026/02/GHSA-p773-8mf4-rjm5/GHSA-p773-8mf4-rjm5.json b/advisories/github-reviewed/2026/02/GHSA-p773-8mf4-rjm5/GHSA-p773-8mf4-rjm5.json index ee8c420a9505a..a40f7584f9fe3 100644 --- a/advisories/github-reviewed/2026/02/GHSA-p773-8mf4-rjm5/GHSA-p773-8mf4-rjm5.json +++ b/advisories/github-reviewed/2026/02/GHSA-p773-8mf4-rjm5/GHSA-p773-8mf4-rjm5.json @@ -1,17 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-p773-8mf4-rjm5", - "modified": "2026-02-12T22:14:12Z", + "modified": "2026-02-12T22:14:13Z", "published": "2026-02-12T18:30:23Z", "aliases": [ "CVE-2025-56647" ], "summary": "@farmfe/core is Missing Origin Validation in WebSocket", - "details": "npm @farmfe/core before 1.7.6 is Missing Origin Validation in WebSocket. The development (hot module reloading) server does not validate origin when connecting to a WebSocket client. This allows attackers to surveil developers running Farm who visit their webpage and steal source code that is leaked by the WebSocket server.", + "details": "npm @farmfe/core versions prior to 1.7.6 are vulnerable to Cross-Site WebSocket Hijacking (CSWSH) due to missing origin validation in the WebSocket server.\n\nThe development server (used for hot module reloading) fails to validate the `Origin` header when accepting WebSocket connections. An attacker can trick a developer running the dev server into visiting a malicious webpage. This page can connect to the developer's local WebSocket server (e.g., `ws://localhost:9000`) and steal source code or sensitive data exposed by the HMR interface.", "severity": [ { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" } ], "affected": [ @@ -61,7 +61,7 @@ "cwe_ids": [ "CWE-1385" ], - "severity": "MODERATE", + "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2026-02-12T22:14:11Z", "nvd_published_at": "2026-02-12T16:16:03Z"