Vulnerability Description
content-security-policy-parser parses content security policy directives. A prototype pollution vulnerability exists in versions 0.5.0 and earlier, wherein if a policy name is called __proto__, one can override the Object prototype. This issue has been patched in version 0.6.0. A workaround involves disabling prototype method in NodeJS, neutralizing all possible prototype pollution attacks. Provide either --disable-proto=delete (recommended) or --disable-proto=throw as an argument to node to enable this feature.
Related Weaknesses (CWE)
References
- https://github.com/helmetjs/content-security-policy-parser/commit/b13a52554f0168
- https://github.com/helmetjs/content-security-policy-parser/issues/11
- https://github.com/helmetjs/content-security-policy-parser/security/advisories/G
- https://www.vicarius.io/vsociety/posts/cve-2025-55164-detect-node-csp-parser-vul
- https://www.vicarius.io/vsociety/posts/cve-2025-55164-mitigate-csp-parser-vulner
FAQ
What is CVE-2025-55164?
CVE-2025-55164 is a documented vulnerability. content-security-policy-parser parses content security policy directives. A prototype pollution vulnerability exists in versions 0.5.0 and earlier, wherein if a policy name is called __proto__, one ca...
How severe is CVE-2025-55164?
CVSS scoring is not yet available for CVE-2025-55164. Check NVD for updates.
Is there a patch for CVE-2025-55164?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.