CVE-2025-56648

EUVD-2025-29779
npm parcel 2.0.0-alpha and before has an Origin Validation Error vulnerability. Malicious websites can send XMLHTTPRequests to the application's development server and read the response to steal source code when developers visit them.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.5 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
CISA-ADPADP
6.5 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
parceljsparcel
𝑥
≤ 1.10.3
parceljsparcel
2.0.0:alpha0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://gist.github.com/R4356th/41f468def606b2406e36f7193f5322b8
https://github.com/parcel-bundler/parcel/commit/4bc56e3242a85491c7edf589966e9b44c6330c49
https://github.com/parcel-bundler/parcel/discussions/10089
https://github.com/parcel-bundler/parcel/issues/10216