Miggo Logo
Miggo Vulnerability Database
CVE-2025-56648

CVE-2025-56648: Parcel has an Origin Validation Error vulnerability

6.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-56648
GHSA ID
GHSA-qm9p-f9j5-w83w
EPSS Score
0.01908%
CWE
CWE-346
Published
9/17/2025
Updated
9/18/2025
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
@parcel/reporter-dev-servernpm<= 2.14.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability is an Origin Validation Error (CWE-346) in the Parcel development server. The root cause is a failure to properly validate the Origin and Host headers of incoming HTTP and WebSocket requests. This allowed any website to interact with the local development server, violating the same-origin policy.

The analysis of the patch commit 4bc56e3242a85491c7edf589966e9b44c6330c49 reveals three key areas of weakness that were addressed:

  1. Insecure CORS Configuration: The setHeaders function in packages/reporters/dev-server/src/Server.js unconditionally set Access-Control-Allow-Origin: *. This allowed any origin to make cross-origin requests and read the response, which is how a malicious site could steal source code.

  2. Missing Host Header Validation: The main server middleware in Server.start did not validate the Host header, making it susceptible to DNS rebinding attacks. This provided another vector for bypassing browser security controls.

  3. Cross-Site WebSocket Hijacking (CSWH): The HMRServer.start method created a WebSocket server without validating the origin of incoming connections. This allowed any website to establish a persistent WebSocket connection to the development server.

The identified vulnerable functions are the ones that were directly responsible for these security lapses. During an exploit, setHeaders would be called to generate the permissive CORS headers, and the lack of validation in Server.start and HMRServer.start would allow the malicious requests to be processed in the first place.

Vulnerable functions

setHeaders
packages/reporters/dev-server/src/Server.js
This function was responsible for setting the Cross-Origin Resource Sharing (CORS) headers on HTTP responses from the development server. Prior to the patch, it unconditionally set the 'Access-Control-Allow-Origin' header to '*', which allows any website to make a request to the server and read the response. This is the primary vulnerability that allows a malicious website visited by a developer to steal source code from the local development server.
Server.start
packages/reporters/dev-server/src/Server.js
The main request handler middleware, configured within the `Server.start` method, lacked validation for the 'Host' header of incoming requests. This omission made the server vulnerable to DNS rebinding attacks. An attacker could use a malicious DNS server to trick a user's browser into sending requests to the local Parcel dev server, bypassing same-origin policy, because the server did not verify that the 'Host' header matched an expected value.
HMRServer.start
packages/reporters/dev-server/src/HMRServer.js
The `HMRServer.start` method initializes the WebSocket server for Hot Module Replacement. Before the patch, the `WebSocket.Server` was instantiated without a `verifyClient` function. This meant that it would accept WebSocket connections from any origin, leading to a Cross-Site WebSocket Hijacking (CSWH) vulnerability. A malicious website could open a WebSocket connection to the developer's local server, potentially receiving updates or sending commands.

WAF Protection Rules

WAF Rule

npm p*r**l *.*.*-*lp** *n* ***or* **s *n Ori*in V*li**tion *rror vuln*r**ility. M*li*ious w**sit*s **n s*n* XML*TTPR*qu*sts to t** *ppli**tion's **v*lopm*nt s*rv*r *n* r*** t** r*spons* to st**l sour** *o** w**n **v*lop*rs visit t**m.

Reasoning

T** vuln*r**ility is *n Ori*in V*li**tion *rror (*W*-***) in t** P*r**l **v*lopm*nt s*rv*r. T** root **us* is * **ilur* to prop*rly v*li**t* t** `Ori*in` *n* `*ost` *****rs o* in*omin* *TTP *n* W**So*k*t r*qu*sts. T*is *llow** *ny w**sit* to int*r**t