CVE-2025-56648 — Parcel has an Origin Validation Error vulnerability

Description

parcel versions 1.6.1 and above have an Origin Validation Error vulnerability. Malicious websites can send XMLHTTPRequests to the application's development server and read the response to steal source code when developers visit them. Version 2.16.4 supports a `--no-cors` option which disables CORS headers in the dev server.

How to fix CVE-2025-56648

To remediate CVE-2025-56648, upgrade the affected package to a fixed version below.

—upgrade to 2.16.4 or later

Is CVE-2025-56648 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 1.6.1, < 2.16.4

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References (8)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-56648
PATCHgithub.com/parcel-bundler/parcel
WEBgist.github.com/R4356th/41f468def606b2406e36f7193f5322b8
WEBgithub.com/parcel-bundler/parcel/commit/4bc56e3242a85491c7edf589966e9b44c6330c49