Farm WebSocket Origin Validation Vulnerability in Development Server

A vulnerability exists in npm package @farmfe/core, in versions prior to 1.7.6, where the development server fails to validate the origin of WebSocket connections. This oversight allows attackers to monitor developers who visit their site and potentially access leaked source code through the WebSocket server.

Impact

Exploitation of this vulnerability could lead to unauthorized access to a developer's source code, particularly if they visit an attacker-controlled website while the Farm development server is running.

Reproduction

To reproduce this vulnerability, create an HTML file that establishes a WebSocket connection to the Farm development server's hot module reloading endpoint. Include a WebSocket protocol header indicating it's a HMR request. Once the connection is open, the WebSocket client can receive messages from the server, including any source code that has been leaked.

Remediation

Users can update to Farm version 1.7.6 or later, or avoid visiting untrusted websites while using the Farm development server. If neither option is feasible, consider isolating the development environment with a proxy.