Base Score

HIGH8.8

CVE-2025-55164

content-security-policy-parser parses content security policy directives. A prototype pollution vulnerability exists in versions 0.5.0 and earlier, wherein if a policy name is called __proto__, one can override the Object prototype. This issue has been patched in version 0.6.0. A workaround involves disabling prototype method in NodeJS, neutralizing all possible prototype pollution attacks. Provide either --disable-proto=delete (recommended) or --disable-proto=throw as an argument to node to enable this feature.

VectorNETWORK

Published Bysecurity-advisories@github.com

Published DateAug 12, 2025, 16:15

Affected Versions(1)

content-security-policy-parser(npm)

Introduced0

Fixed0.6.0

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
content-security-policy-parser(npm)	0	0.6.0	N/A

Weakness Type (CWE):CWE-1321

CVSS Metrics

Base Score

8.8

Vector String

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Base Severity

HIGH

Version

4.0

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

References

Base Score

HIGH8.8

Weakness Type (CWE):CWE-1321

CVSS Metrics

Base Score

8.8

Vector String

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Base Severity

HIGH

Version

4.0

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

CVE-2025-55164

VectorNETWORK

Published Bysecurity-advisories@github.com

Published DateAug 12, 2025, 16:15

Package (Ecosystem)

Introduced

Fixed

Limit

content-security-policy-parser(npm)

0.6.0

N/A