Description

content-security-policy-parser parses content security policy directives. A prototype pollution vulnerability exists in versions 0.5.0 and earlier, wherein if a policy name is called __proto__, one can override the Object prototype. This issue has been patched in version 0.6.0. A workaround involves disabling prototype method in NodeJS, neutralizing all possible prototype pollution attacks. Provide either --disable-proto=delete (recommended) or --disable-proto=throw as an argument to node to enable this feature.

INFO

Published Date :

2025-08-12T16:02:44.952Z

Last Modified :

2025-08-20T19:39:47.679Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-55164 vulnerability.

Vendors Products
Content-security-policy-parser Project
  • Content-security-policy-parser
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-55164.

URL Resource
https://github.com/helmetjs/content-security-policy-parser/commit/b13a52554f0168af393e3e38ed4a94e9e6aea9dc cve-icon cve-icon
https://github.com/helmetjs/content-security-policy-parser/issues/11 cve-icon cve-icon
https://github.com/helmetjs/content-security-policy-parser/security/advisories/GHSA-w2cq-g8g3-gm83 cve-icon cve-icon
https://www.vicarius.io/vsociety/posts/cve-2025-55164-detect-node-csp-parser-vulnerability cve-icon
https://www.vicarius.io/vsociety/posts/cve-2025-55164-mitigate-csp-parser-vulnerability cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability