CVE-2025-56648

medium

Description

npm parcel 2.0.0-alpha and before has an Origin Validation Error vulnerability. Malicious websites can send XMLHTTPRequests to the application's development server and read the response to steal source code when developers visit them.

References

https://github.com/parcel-bundler/parcel/issues/10216

https://github.com/parcel-bundler/parcel/discussions/10089

https://github.com/parcel-bundler/parcel/commit/4bc56e3242a85491c7edf589966e9b44c6330c49

https://gist.github.com/R4356th/41f468def606b2406e36f7193f5322b8

Details

Source: Mitre, NVD

Published: 2025-09-17

Updated: 2026-01-26

Risk Information

CVSS v2

Base Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N

Severity: High

CVSS v3

Base Score: 6.5

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Severity: Medium

EPSS

EPSS: 0.00015

Detections

Analytics