GHSA-qm9p-f9j5-w83w
Suggest an improvement- Source
- https://github.com/advisories/GHSA-qm9p-f9j5-w83w
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-qm9p-f9j5-w83w/GHSA-qm9p-f9j5-w83w.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-qm9p-f9j5-w83w
- Aliases
-
- CVE-2025-56648
- Published
- 2025-09-17T21:30:42Z
- Modified
- 2025-09-18T17:42:28.691474Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- Parcel has an Origin Validation Error vulnerability
- Details
-
npm parcel 2.0.0-alpha and before has an Origin Validation Error vulnerability. Malicious websites can send XMLHTTPRequests to the application's development server and read the response to steal source code when developers visit them.
- Database specific
{ "github_reviewed": true, "severity": "MODERATE", "nvd_published_at": "2025-09-17T19:15:46Z", "cwe_ids": [ "CWE-346" ], "github_reviewed_at": "2025-09-18T17:15:13Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2025-56648
- https://github.com/parcel-bundler/parcel/issues/10216
- https://github.com/parcel-bundler/parcel/pull/10138
- https://gist.github.com/R4356th/41f468def606b2406e36f7193f5322b8
- https://github.com/parcel-bundler/parcel
- https://github.com/parcel-bundler/parcel/discussions/10089
Affected packages
npm / @parcel/reporter-dev-server
Package
- Name
- @parcel/reporter-dev-server
- View open source insights on deps.dev
- Purl
- pkg:npm/%40parcel/reporter-dev-server