CVE-2025-55164: content-security-policy-parser Prototype Pollution Vulnerability May Lead to RCE
A prototype pollution vulnerability exists in versions 0.5.0 and earlier, wherein if you provide a policy name called __proto__ you can override the Object prototype.
For example:
const parse = require('content-security-policy-parser');
const x = parse("default-src 'self'; __proto__ foobar");
console.log('raw print:', x);
console.log('toString:', x.toString());
Outputs:
raw print: Array { 'default-src': [ "'self'" ] }
toString: foobar
Whilst no gadget exists in this library, it is possible via other libraries expose functionality that enable RCE. It is customary to label prototype pollution vulnerabilities in this way. The most common effect of this is denial of service, as you can trivially overwrite properties.
As the content security policy is provided in HTTP queries, it is incredibly likely that network exploitation is possible.
References
- github.com/advisories/GHSA-w2cq-g8g3-gm83
- github.com/helmetjs/content-security-policy-parser
- github.com/helmetjs/content-security-policy-parser/commit/b13a52554f0168af393e3e38ed4a94e9e6aea9dc
- github.com/helmetjs/content-security-policy-parser/issues/11
- github.com/helmetjs/content-security-policy-parser/security/advisories/GHSA-w2cq-g8g3-gm83
- nvd.nist.gov/vuln/detail/CVE-2025-55164
Code Behaviors & Features
Detect and mitigate CVE-2025-55164 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →