CVE-2025-56648

6.5 MEDIUM
Published: September 17, 2025 Modified: January 26, 2026
View on NVD

Description

npm parcel 2.0.0-alpha and before has an Origin Validation Error vulnerability. Malicious websites can send XMLHTTPRequests to the application's development server and read the response to steal source code when developers visit them.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://gist.github.com/R4356th/41f468def606b2406e36f7193f5322b8
Source: cve@mitre.org
Exploit
https://github.com/parcel-bundler/parcel/commit/4bc56e3242a85491c7edf589966e9b44c6330c49
Source: cve@mitre.org
https://github.com/parcel-bundler/parcel/discussions/10089
Source: cve@mitre.org
Issue Tracking
https://github.com/parcel-bundler/parcel/issues/10216
Source: cve@mitre.org
Exploit Issue Tracking

4 reference(s) from NVD

Quick Stats

CVSS v3 Score
6.5 / 10.0
EPSS (Exploit Probability)
0.0%
1th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-346

Affected Vendors

parceljs

Related CVEs

CVE-2026-4948 5.5
CVE-2026-34353 5.9
CVE-2026-33559 5.4
CVE-2026-33366 5.3
CVE-2026-33280 7.2