CVE-2025-64726

Name of the Vulnerable Software and Affected Versions Socket Firewall versions prior to 0.15.5

Description Socket Firewall is an HTTP/HTTPS proxy server designed to enforce security policies by blocking dangerous packages. Versions of Socket Firewall prior to 0.15.5 are susceptible to arbitrary code execution when operating within untrusted project directories. An attacker can leverage this by placing a malicious .sfw.config file in a project directory. When a developer executes Socket Firewall commands, such as sfw npm install, within that directory, the tool loads the .sfw.config file and incorporates environment variables directly into the Node.js process. This allows an attacker to exploit the system by setting the NODE OPTIONS environment variable with a --require directive, enabling the execution of malicious JavaScript code before Socket Firewall’s security measures are activated, effectively circumventing malicious package detection. The attack requires a developer to install dependencies for an untrusted project and then execute a command within that project’s context. The vulnerable component is the loading and processing of the .sfw.config file, specifically how it populates environment variables. The vulnerable parameter is NODE OPTIONS.

Recommendations Upgrade to Socket Firewall version 0.15.5 or later. If unable to upgrade, avoid running Socket Firewall in untrusted project directories. Inspect .sfw.config and .env.local files for suspicious NODE OPTIONS or other environment variable definitions that reference local files before running Socket Firewall in any new project.