Vulnerability in Parceljs Parcel

CVE-2025-56648

npm parcel 2.0.0-alpha and before has an Origin Validation Error vulnerability. Malicious websites can send XMLHTTPRequests to the application's development server and read the response to steal source code when developers visit them.

EPSS: 0.002 (12.5th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 6.5 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N.

Affected products

Weakness classification (CWE)

Public proof-of-concept exploits

References

Frequently asked questions

What is CVE-2025-56648?
CVE-2025-56648 is a medium-severity vulnerability in Parceljs Parcel, classified under Origin Validation Error. CVSS score: 6.5/10. Published 2025-09-17.
How severe is CVE-2025-56648?
Medium severity. CVSS v3 base score is 6.5 out of 10.
Is CVE-2025-56648 known to be exploited?
1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.