CVE-2025-55164
CVE-2025-55164 is a high-severity vulnerability with a CVSS 4.0 base score of 8.8. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-1321.
Key facts
- Severity: High (CVSS 4.0 base score 8.8)
- EPSS exploit prediction: 0% (32nd percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2025-24266
- Weakness: CWE-1321
- Published:
- Last modified:
Description
content-security-policy-parser parses content security policy directives. A prototype pollution vulnerability exists in versions 0.5.0 and earlier, wherein if a policy name is called __proto__, one can override the Object prototype. This issue has been patched in version 0.6.0. A workaround involves disabling prototype method in NodeJS, neutralizing all possible prototype pollution attacks. Provide either --disable-proto=delete (recommended) or --disable-proto=throw as an argument to node to enable this feature.
Frequently asked questions
- What is CVE-2025-55164?
- content-security-policy-parser parses content security policy directives. A prototype pollution vulnerability exists in versions 0.5.0 and earlier, wherein if a policy name is called __proto__, one can override the Object prototype. This issue has been patched in version 0.6.0. A workaround involves disabling prototype method in NodeJS, neutralizing all possible prototype pollution attacks. Provide either --disable-proto=delete (recommended) or --disable-proto=throw as an argument to node to enable this feature.
- How severe is CVE-2025-55164?
- CVE-2025-55164 has a CVSS 4.0 base score of 8.8, rated high severity.
- Is CVE-2025-55164 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (32nd percentile), an estimate of the probability of exploitation in the next 30 days.
- How do I fix CVE-2025-55164?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- Does CVE-2025-55164 have an EU (EUVD) identifier?
- Yes. CVE-2025-55164 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-24266.
- When was CVE-2025-55164 published?
- CVE-2025-55164 was published on 2025-08-12 and last updated on 2026-06-17.
References
- https://github.com/helmetjs/content-security-policy-parser/commit/b13a52554f0168af393e3e38ed4a94e9e6aea9dc
- https://github.com/helmetjs/content-security-policy-parser/issues/11
- https://github.com/helmetjs/content-security-policy-parser/security/advisories/GHSA-w2cq-g8g3-gm83
- https://www.vicarius.io/vsociety/posts/cve-2025-55164-detect-node-csp-parser-vulnerability
- https://www.vicarius.io/vsociety/posts/cve-2025-55164-mitigate-csp-parser-vulnerability
Other CWE-1321 (Prototype Pollution) vulnerabilities
- CVE-2026-25142 — Critical (CVSS 10.0): SandboxJS is a JavaScript sandboxing library. Prior to 0.8.27, SanboxJS does not properly restrict __lookupGetter__…
- CVE-2024-39008 — Critical (CVSS 10.0): robinweser fast-loops v1.1.3 was discovered to contain a prototype pollution via the function objectMergeDeep. This…
- CVE-2024-38999 — Critical (CVSS 10.0): jrburke requirejs v2.3.6 was discovered to contain a prototype pollution via the function s.contexts._.configure. This…
- CVE-2022-29823 — Critical (CVSS 10.0): Feather-Sequalize cleanQuery method uses insecure recursive logic to filter unsupported keys from the query object.…
- CVE-2022-24760 — Critical (CVSS 10.0): Parse Server is an open source http web server backend. In versions prior to 4.10.7 there is a Remote Code Execution…
- CVE-2020-12079 — Critical (CVSS 10.0): Beaker before 0.8.9 allows a sandbox escape, enabling system access and code execution. This occurs because Electron…