CVE-2025-55164 HIGH

CVE-2025-55164: content-security-policy-parser Prototype Pollution Vulnerability May Lead to RCE

Vendor Helmetjs
Product content-security-policy-parser
Weakness CWE-1321
Published August 12, 2025
Last update August 20, 2025

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

content-security-policy-parser parses content security policy directives. A prototype pollution vulnerability exists in versions 0.5.0 and earlier, wherein if a policy name is called __proto__, one can override the Object prototype. This issue has been patched in version 0.6.0. A workaround involves disabling prototype method in NodeJS, neutralizing all possible prototype pollution attacks. Provide either --disable-proto=delete (recommended) or --disable-proto=throw as an argument to node to enable this feature.

Key dates

02Disclosure timeline

August 12, 2025 CVE published
August 20, 2025 Record updated