High severityOSV Advisory· Published Aug 12, 2025· Updated Apr 15, 2026
CVE-2025-55164
CVE-2025-55164
Description
content-security-policy-parser parses content security policy directives. A prototype pollution vulnerability exists in versions 0.5.0 and earlier, wherein if a policy name is called __proto__, one can override the Object prototype. This issue has been patched in version 0.6.0. A workaround involves disabling prototype method in NodeJS, neutralizing all possible prototype pollution attacks. Provide either --disable-proto=delete (recommended) or --disable-proto=throw as an argument to node to enable this feature.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
content-security-policy-parsernpm | < 0.6.0 | 0.6.0 |
Affected products
2- Range: v0.1.0, v0.1.1, v0.2.0, …
Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-w2cq-g8g3-gm83ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-55164ghsaADVISORY
- github.com/helmetjs/content-security-policy-parser/commit/b13a52554f0168af393e3e38ed4a94e9e6aea9dcnvdWEB
- github.com/helmetjs/content-security-policy-parser/issues/11nvdWEB
- github.com/helmetjs/content-security-policy-parser/security/advisories/GHSA-w2cq-g8g3-gm83nvdWEB
- www.vicarius.io/vsociety/posts/cve-2025-55164-detect-node-csp-parser-vulnerabilitynvd
- www.vicarius.io/vsociety/posts/cve-2025-55164-mitigate-csp-parser-vulnerabilitynvd
News mentions
0No linked articles in our index yet.