{"url":"http://public2.vulnerablecode.io/api/packages/86041?format=json","purl":"pkg:npm/content-security-policy-parser@0.6.0","type":"npm","namespace":"","name":"content-security-policy-parser","version":"0.6.0","qualifiers":{},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":null,"latest_non_vulnerable_version":null,"affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/57827?format=json","vulnerability_id":"VCID-txhf-7atd-1fhd","summary":"content-security-policy-parser Prototype Pollution Vulnerability May Lead to RCE\nA prototype pollution vulnerability exists in versions 0.5.0 and earlier, wherein if you provide a policy name called `__proto__` you can override the Object prototype.\n\nFor example:\n\n```\nconst parse = require('content-security-policy-parser');\n\nconst x = parse(\"default-src 'self'; __proto__ foobar\");\nconsole.log('raw print:', x);\nconsole.log('toString:', x.toString());\n```\n\nOutputs:\n\n```\nraw print: Array { 'default-src': [ \"'self'\" ] }\ntoString: foobar\n```\n\nWhilst no gadget exists in this library, it is possible via other libraries expose functionality that enable RCE. It is customary to label prototype pollution vulnerabilities in this way. The most common effect of this is denial of service, as you can trivially overwrite properties.\n\nAs the content security policy is provided in HTTP queries, it is incredibly likely that network exploitation is possible.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-55164","reference_id":"","reference_type":"","scores":[{"value":"0.00204","scoring_system":"epss","scoring_elements":"0.42397","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00204","scoring_system":"epss","scoring_elements":"0.42413","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00204","scoring_system":"epss","scoring_elements":"0.42423","published_at":"2026-06-06T12:55:00Z"},{"value":"0.0075","scoring_system":"epss","scoring_elements":"0.73558","published_at":"2026-06-09T12:55:00Z"},{"value":"0.0075","scoring_system":"epss","scoring_elements":"0.73532","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-55164"},{"reference_url":"https://github.com/helmetjs/content-security-policy-parser","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/helmetjs/content-security-policy-parser"},{"reference_url":"https://github.com/helmetjs/content-security-policy-parser/commit/b13a52554f0168af393e3e38ed4a94e9e6aea9dc","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-12T17:52:38Z/"}],"url":"https://github.com/helmetjs/content-security-policy-parser/commit/b13a52554f0168af393e3e38ed4a94e9e6aea9dc"},{"reference_url":"https://github.com/helmetjs/content-security-policy-parser/issues/11","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-12T17:52:38Z/"}],"url":"https://github.com/helmetjs/content-security-policy-parser/issues/11"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-55164","reference_id":"CVE-2025-55164","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-55164"},{"reference_url":"https://github.com/advisories/GHSA-w2cq-g8g3-gm83","reference_id":"GHSA-w2cq-g8g3-gm83","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-w2cq-g8g3-gm83"},{"reference_url":"https://github.com/helmetjs/content-security-policy-parser/security/advisories/GHSA-w2cq-g8g3-gm83","reference_id":"GHSA-w2cq-g8g3-gm83","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-12T17:52:38Z/"}],"url":"https://github.com/helmetjs/content-security-policy-parser/security/advisories/GHSA-w2cq-g8g3-gm83"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/86041?format=json","purl":"pkg:npm/content-security-policy-parser@0.6.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/content-security-policy-parser@0.6.0"}],"aliases":["CVE-2025-55164","GHSA-w2cq-g8g3-gm83"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-txhf-7atd-1fhd"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/content-security-policy-parser@0.6.0"}