CVE-2025-56648

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

n

pm parcel 2.0.0-alpha and before has an Origin Validation Error vulnerability. Malicious websites can send XMLHTTPRequests to the application's development server and read the response to steal source code when developers visit them.

References

Link	Resource
https://gist.github.com/R4356th/41f468def606b2406e36f7193f5322b8	Exploit
https://github.com/parcel-bundler/parcel/commit/4bc56e3242a85491c7edf589966e9b44c6330c49
https://github.com/parcel-bundler/parcel/discussions/10089	Issue Tracking
https://github.com/parcel-bundler/parcel/issues/10216	Exploit Issue Tracking

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:parceljs:parcel::::::::
	cpe:2.3:a:parceljs:parcel:2.0.0:alpha0::::::

History

26 Jan 2026, 17:16

Type	Values Removed	Values Added
Summary		(es) npm parcel 2.0.0-alpha y anteriores tiene una vulnerabilidad de error de validación de origen. Sitios web maliciosos pueden enviar XMLHTTPRequests al servidor de desarrollo de la aplicación y leer la respuesta para robar código fuente cuando los desarrolladores los visitan.
References		() https://github.com/parcel-bundler/parcel/commit/4bc56e3242a85491c7edf589966e9b44c6330c49 -

26 Sep 2025, 15:06

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-09-17 19:15

Updated : 2026-01-26 17:16

NVD link : CVE-2025-56648

Mitre link : CVE-2025-56648

CVE.ORG link : CVE-2025-56648

JSON object : View

Products Affected

parcel

CWE

CWE-346

Origin Validation Error

{"id": "CVE-2025-56648", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2025-09-17T19:15:46.963", "references": [{"url": "https://gist.github.com/R4356th/41f468def606b2406e36f7193f5322b8", "tags": ["Exploit"], "source": "[email protected]"}, {"url": "https://github.com/parcel-bundler/parcel/commit/4bc56e3242a85491c7edf589966e9b44c6330c49", "source": "[email protected]"}, {"url": "https://github.com/parcel-bundler/parcel/discussions/10089", "tags": ["Issue Tracking"], "source": "[email protected]"}, {"url": "https://github.com/parcel-bundler/parcel/issues/10216", "tags": ["Exploit", "Issue Tracking"], "source": "[email protected]"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-346"}]}], "descriptions": [{"lang": "en", "value": "npm parcel 2.0.0-alpha and before has an Origin Validation Error vulnerability. Malicious websites can send XMLHTTPRequests to the application's development server and read the response to steal source code when developers visit them."}, {"lang": "es", "value": "npm parcel 2.0.0-alpha y anteriores tiene una vulnerabilidad de error de validaci\u00f3n de origen. Sitios web maliciosos pueden enviar XMLHTTPRequests al servidor de desarrollo de la aplicaci\u00f3n y leer la respuesta para robar c\u00f3digo fuente cuando los desarrolladores los visitan."}], "lastModified": "2026-01-26T17:16:11.320", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:parceljs:parcel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BBC5650B-9070-49A9-85B6-24C780E59C78", "versionEndIncluding": "1.10.3"}, {"criteria": "cpe:2.3:a:parceljs:parcel:2.0.0:alpha0:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "16D33281-5F1D-47B8-9ABD-D01A8931FED0"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}