Prototype Pollution in convict
Description
A prototype pollution vulnerability in Mozilla Convict before 6.2.4 allows attackers to inject or override object attributes, potentially leading to crashes.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A prototype pollution vulnerability in Mozilla Convict before 6.2.4 allows attackers to inject or override object attributes, potentially leading to crashes.
Overview
CVE-2023-0163 is a prototype pollution vulnerability in Mozilla Convict, a configuration management library for Node.js. The issue arises from improper sanitization of certain key paths during configuration setting, specifically around the use of 'constructor.prototype' as a path component. This allows an attacker to pollute the Object prototype by injecting or overriding attributes, which can be used by other components or lead to incompatible type changes and crashes [1][4].
Exploitation
Exploitation requires the attacker to supply a malicious configuration object that includes keys like constructor.prototype or similar forbidden paths. The official advisory notes that since Convict is primarily used for server-side configurations written by administrators, the risk of direct exploitation by external users is low. However, an admin unfamiliar with JavaScript could be tricked into writing malicious configuration code, enabling the attack [1][4]. The commit fixing the vulnerability updated the forbidden key paths list, removing a previously allowed path variant [2].
Impact
Successful exploitation can allow an attacker to inject arbitrary properties into the Object prototype, affecting all objects in the application. This may lead to unexpected behavior, denial of service via crashes due to type mismatches, or potentially enable further attacks if the injected properties are used by other components [1][4].
Mitigation
The vulnerability is fixed in Convict version 6.2.4. Users should upgrade to this version or later. There are no known workarounds for versions prior to the fix [4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
convictnpm | < 6.2.4 | 6.2.4 |
Affected products
2- Range: 0
Patches
1fb602fbe1e9ffix-imperfect-prototype-pollution-fix (#411)
2 files changed · +9 −2
packages/convict/src/main.js+1 −1 modified@@ -12,7 +12,7 @@ const cloneDeep = require('lodash.clonedeep') // Forbidden key paths, for protection against prototype pollution const FORBIDDEN_KEY_PATHS = [ '__proto__.', - 'this.constructor.prototype.', + 'constructor.prototype.', ] const ALLOWED_OPTION_STRICT = 'strict'
packages/convict/test/prototype_pollution.test.js+8 −1 modified@@ -30,10 +30,17 @@ describe('Convict prototype pollution resistance', function() { expect({}).not.toHaveProperty('nested.polluted_proto_nested') }) - test('against this.constructor.prototype', function() { + test('against constructor.prototype', function() { const obj = {} const config = convict(obj) + config.set('constructor.prototype.polluted_constructor_prototype_root', 'Polluted!') + expect({}).not.toHaveProperty('polluted_constructor_prototype_root') + + config.set('constructor.prototype.nested.polluted_constructor_prototype_nested', 'Polluted!') + expect({}).not.toHaveProperty('nested') + expect({}).not.toHaveProperty('nested.polluted_constructor_prototype_nested') + config.set('this.constructor.prototype.polluted_constructor_prototype_root', 'Polluted!') expect({}).not.toHaveProperty('polluted_constructor_prototype_root')
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-4jrm-c32x-w4jfghsaADVISORY
- github.com/mozilla/node-convict/security/advisories/GHSA-4jrm-c32x-w4jfghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-0163ghsaADVISORY
- github.com/mozilla/node-convict/commit/fb602fbe1e9f14f2e88ecb8179d0f76466d21ecbghsaWEB
- github.com/mozilla/node-convict/issues/410ghsaissue-trackingWEB
News mentions
0No linked articles in our index yet.