Skip to content

Instantly share code, notes, and snippets.

View R4356th's full-sized avatar

Radman Siddiki R4356th

30 followers · 8 following
View GitHub Profile
@R4356th
R4356th / Information Disclosure by Farm's Dev Server in Versions Before v1.7.6 (CVE-2025-56647).md
Created February 6, 2026 06:23

In versions of Farm before v1.7.6, this security vulnerability is present: Farm's dev (HMR) server does not validate origin when connecting to a WebSocket client. This allows attackers to surveil developers who visit their webpage and potentially steal source code that ends up being leaked by the WebSocket server.

PoC

Code like this would be on the attacker's webpage:

<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="UTF-8">
@R4356th
R4356th / Stealing code using WebSocket Connection.md
Last active September 17, 2025 15:56
Two information disclosure vulnerabilities in Parcel 
<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="UTF-8">
  <title>WebSocket Client Example</title>
</head>
<body>
  <h1>WebSocket Client</h1>
  <div id="status">Connecting...</div>
@R4356th
R4356th / head.html
Last active June 10, 2021 16:26
MediaWiki PWA Example
<link rel="manifest" href="manifest.webmanifest">
@R4356th
R4356th / redirector.js
Last active October 7, 2025 11:32
JavaScript code to enforce https on your websites
/* Copyright 2020-25 Radman Siddiki
Licensed under the MIT License (https://www.mit.edu/~amini/LICENSE.md) */
if (location.protocol === "http:") {
location.replace(location.href.replace("http:", "https:"));
}