CVE-2025-64726 is a vulnerability classified under CWE-15 (External Control of System or Configuration Setting) and CWE-427 (Uncontrolled Search Path Element) affecting SocketDev's Socket Firewall binary versions prior to 0.15.5. Socket Firewall acts as an HTTP/HTTPS proxy to intercept package manager requests and enforce security policies by blocking dangerous packages. The vulnerability occurs when the tool is executed in an untrusted project directory containing a malicious .sfw.config file. This configuration file is loaded by the Socket Firewall and its values are directly injected into the Node.js process environment variables. Specifically, an attacker can set the NODE_OPTIONS environment variable with a --require directive that forces Node.js to load and execute arbitrary JavaScript code before Socket Firewall’s security mechanisms initialize. This early execution allows the attacker to bypass the firewall’s malicious package detection controls, effectively enabling arbitrary code execution on the developer’s system. The attack vector requires the developer to run commands such as 'sfw npm install' within the compromised directory, making it an indirect but potent threat. The vulnerability has been addressed in version 0.15.5 by isolating configuration file values from subprocess environments, preventing malicious environment variable injection. Users who install Socket Firewall globally via npm do not need additional workarounds, as the wrapper package ensures the latest version is used. However, users who manually install the binary and cannot upgrade immediately should avoid running Socket Firewall in untrusted directories and inspect .sfw.config and .env.local files for suspicious environment variable definitions referencing NODE_OPTIONS or local files. The CVSS 4.0 score is 7.3 (high severity) with attack vector local, low attack complexity, partial privileges required, user interaction required, and high impact on confidentiality, integrity, and availability. No known exploits are currently reported in the wild.

For European organizations, this vulnerability poses a significant risk primarily to development environments where Socket Firewall is used to secure package installations. Successful exploitation can lead to arbitrary code execution on developer machines, potentially compromising sensitive source code, credentials, and build environments. This can cascade into supply chain attacks if malicious packages are installed or if compromised developer machines are used to deploy software. The ability to bypass malicious package detection undermines the trust in package security policies, increasing the risk of malware infiltration. Confidentiality, integrity, and availability of development infrastructure and potentially production systems are at risk. Organizations with distributed development teams or those relying on manual binary installations of Socket Firewall are particularly vulnerable. The indirect attack vector requiring user interaction (running commands in untrusted directories) means social engineering or insider threats could facilitate exploitation. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits following public disclosure. European organizations must prioritize patching and auditing development environments to mitigate potential supply chain and code integrity risks.

1. Upgrade all Socket Firewall installations to version 0.15.5 or later immediately to apply the patch that isolates configuration values from subprocess environments. 2. For users who manually installed the binary and cannot upgrade immediately, strictly avoid running Socket Firewall commands in untrusted or unknown project directories. 3. Implement a policy to inspect .sfw.config and .env.local files in all project directories before running Socket Firewall commands, specifically looking for suspicious NODE_OPTIONS or environment variable definitions that could load local malicious scripts. 4. Prefer global installation of Socket Firewall via npm (e.g., npm install -g sfw) to benefit from automatic updates and wrapper protections. 5. Educate developers about the risks of running commands in untrusted directories and encourage use of isolated or sandboxed environments for untrusted projects. 6. Integrate file integrity monitoring on configuration files within development environments to detect unauthorized changes. 7. Employ endpoint detection and response (EDR) solutions to monitor for suspicious Node.js process behaviors indicative of exploitation attempts. 8. Review and tighten access controls on developer workstations to limit the ability of attackers to place malicious configuration files. 9. Incorporate this vulnerability into supply chain risk assessments and incident response plans to ensure rapid detection and remediation if exploited.