Publish GHSA-qm9p-f9j5-w83w

advisory-database[bot] · advisory-database[bot] · commit 9059254ed1fa · 2026-04-13T18:51:37.000Z
diff --git a/advisories/github-reviewed/2025/09/GHSA-qm9p-f9j5-w83w/GHSA-qm9p-f9j5-w83w.json b/advisories/github-reviewed/2025/09/GHSA-qm9p-f9j5-w83w/GHSA-qm9p-f9j5-w83w.json
@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-qm9p-f9j5-w83w",
-  "modified": "2026-01-29T02:37:59Z",
+  "modified": "2026-04-13T18:49:40Z",
   "published": "2025-09-17T21:30:42Z",
   "aliases": [
     "CVE-2025-56648"
   ],
   "summary": "Parcel has an Origin Validation Error vulnerability",
-  "details": "parcel versions 1.6.1 and above have an Origin Validation Error vulnerability. Malicious websites can send XMLHTTPRequests to the application's development server and read the response to steal source code when developers visit them.",
+  "details": "parcel versions 1.6.1 and above have an Origin Validation Error vulnerability. Malicious websites can send XMLHTTPRequests to the application's development server and read the response to steal source code when developers visit them. Version 2.16.4 supports a `--no-cors` option which disables CORS headers in the dev server.",
   "severity": [
     {
       "type": "CVSS_V3",
@@ -28,11 +28,14 @@
               "introduced": "1.6.1"
             },
             {
-              "last_affected": "2.16.3"
+              "fixed": "2.16.4"
             }
           ]
         }
-      ]
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 2.16.3"
+      }
     }
   ],
   "references": [
@@ -52,6 +55,10 @@
       "type": "WEB",
       "url": "https://github.com/parcel-bundler/parcel/commit/4bc56e3242a85491c7edf589966e9b44c6330c49"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/parcel-bundler/parcel/commit/9e2f6f1377123cff3b82f6dde4e20336efc846a1"
+    },
     {
       "type": "WEB",
       "url": "https://gist.github.com/R4356th/41f468def606b2406e36f7193f5322b8"

Original file line number	Diff line number	Diff line change
`@@ -1,13 +1,13 @@`
`1`	`1`	`{`
`2`	`2`	`"schema_version": "1.4.0",`
`3`	`3`	`"id": "GHSA-qm9p-f9j5-w83w",`
`4`		`- "modified": "2026-01-29T02:37:59Z",`
	`4`	`+ "modified": "2026-04-13T18:49:40Z",`
`5`	`5`	`"published": "2025-09-17T21:30:42Z",`
`6`	`6`	`"aliases": [`
`7`	`7`	`"CVE-2025-56648"`
`8`	`8`	`],`
`9`	`9`	`"summary": "Parcel has an Origin Validation Error vulnerability",`
`10`		`- "details": "parcel versions 1.6.1 and above have an Origin Validation Error vulnerability. Malicious websites can send XMLHTTPRequests to the application's development server and read the response to steal source code when developers visit them.",`
	`10`	+ "details": "parcel versions 1.6.1 and above have an Origin Validation Error vulnerability. Malicious websites can send XMLHTTPRequests to the application's development server and read the response to steal source code when developers visit them. Version 2.16.4 supports a `--no-cors` option which disables CORS headers in the dev server.",
`11`	`11`	`"severity": [`
`12`	`12`	`{`
`13`	`13`	`"type": "CVSS_V3",`
`@@ -28,11 +28,14 @@`
`28`	`28`	`"introduced": "1.6.1"`
`29`	`29`	`},`
`30`	`30`	`{`
`31`		`- "last_affected": "2.16.3"`
	`31`	`+ "fixed": "2.16.4"`
`32`	`32`	`}`
`33`	`33`	`]`
`34`	`34`	`}`
`35`		`- ]`
	`35`	`+ ],`
	`36`	`+ "database_specific": {`
	`37`	`+ "last_known_affected_version_range": "<= 2.16.3"`
	`38`	`+ }`
`36`	`39`	`}`
`37`	`40`	`],`
`38`	`41`	`"references": [`
`@@ -52,6 +55,10 @@`
`52`	`55`	`"type": "WEB",`
`53`	`56`	`"url": "https://github.com/parcel-bundler/parcel/commit/4bc56e3242a85491c7edf589966e9b44c6330c49"`
`54`	`57`	`},`
	`58`	`+ {`
	`59`	`+ "type": "WEB",`
	`60`	`+ "url": "https://github.com/parcel-bundler/parcel/commit/9e2f6f1377123cff3b82f6dde4e20336efc846a1"`
	`61`	`+ },`
`55`	`62`	`{`
`56`	`63`	`"type": "WEB",`
`57`	`64`	`"url": "https://gist.github.com/R4356th/41f468def606b2406e36f7193f5322b8"`