Vulnerability in Parceljs Parcel
CVE-2025-56648
npm parcel 2.0.0-alpha and before has an Origin Validation Error vulnerability. Malicious websites can send XMLHTTPRequests to the application's development server and read the response to steal source code when developers visit them.
EPSS: 0.002 (12.5th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 6.5 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N.
Affected products
- Parceljs Parcel — versions 2.0.0
- N/a — versions n/a
Weakness classification (CWE)
Public proof-of-concept exploits
References
- cve@mitre.org (Exploit)
- cve@mitre.org (Issue Tracking)
- cve@mitre.org (Exploit, Issue Tracking)
- cve@mitre.org
Frequently asked questions
- What is CVE-2025-56648?
- CVE-2025-56648 is a medium-severity vulnerability in Parceljs Parcel, classified under Origin Validation Error. CVSS score: 6.5/10. Published 2025-09-17.
- How severe is CVE-2025-56648?
- Medium severity. CVSS v3 base score is 6.5 out of 10.
- Is CVE-2025-56648 known to be exploited?
- 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.