CVE-2025-56648: Parcel has an Origin Validation Error vulnerability
(updated )
parcel versions 1.6.1 and above have an Origin Validation Error vulnerability. Malicious websites can send XMLHTTPRequests to the application’s development server and read the response to steal source code when developers visit them. Version 2.16.4 supports a --no-cors option which disables CORS headers in the dev server.
References
- gist.github.com/R4356th/41f468def606b2406e36f7193f5322b8
- github.com/advisories/GHSA-qm9p-f9j5-w83w
- github.com/parcel-bundler/parcel
- github.com/parcel-bundler/parcel/commit/4bc56e3242a85491c7edf589966e9b44c6330c49
- github.com/parcel-bundler/parcel/commit/9e2f6f1377123cff3b82f6dde4e20336efc846a1
- github.com/parcel-bundler/parcel/discussions/10089
- github.com/parcel-bundler/parcel/issues/10216
- github.com/parcel-bundler/parcel/pull/10138
- nvd.nist.gov/vuln/detail/CVE-2025-56648
Code Behaviors & Features
Detect and mitigate CVE-2025-56648 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →