Arbitrary Code Execution Vulnerability in Socket Firewall by SocketDev
CVE-2025-64726

7.3HIGH

Key Information:

Vendor: Socketdev
Status: Firewall-release
Vendor: CVE Published:; 13 November 2025

What is CVE-2025-64726?

Socket Firewall, an HTTP/HTTPS proxy server developed by SocketDev, has a vulnerability that allows arbitrary code execution when run in untrusted project directories with versions prior to 0.15.5. This issue arises when a malicious actor places a crafted .sfw.config file within a project directory. During the execution of Socket Firewall commands, such as sfw npm install, the tool processes the configuration file, potentially populating harmful environment variables directly into the Node.js process. This allows attackers to exploit it by manipulating the NODE_OPTIONS variable to include --require directives, thereby executing malicious JavaScript code before the tool’s security mechanisms are engaged. Users are encouraged to upgrade to version 0.15.5 or later, which includes a fix that isolates configuration file values from subprocess environments, enhancing security against such exploits. It is crucial for developers to inspect .sfw.config and .env.local files before executing commands in new projects, especially if they are unsure of the source’s trustworthiness.

Affected Version(s)

firewall-release < 0.15.5

References

https://github.com/SocketDev/firewall-release/security/ad...

x_refsource_CONFIRM

https://bsky.app/profile/evilpacket.net/post/3m4iylwxtns2t

x_refsource_MISC

CVSS V4

Score:

7.3

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 13, 2025
Vulnerability Reserved
Nov 10, 2025

JSON

Socketdev

What is CVE-2025-64726?

Affected Version(s)

References

CVSS V4

Timeline