Node Convict
Sign in to watchSource repositories
CVEs (2)
| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-33864 | cri | 0.59 | — | — | Mar 26, 2026 | ### Summary A prototype pollution vulnerability exists in the latest version of the convict npm package (6.2.4). Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input started with a forbidden key, it is still possible to pollute `Object.prototype` via a crafted input using `String.prototype`. ### Details The vulnerability resides in line 564 of https://github.com/mozilla/node-convict/blob/master/packages/convict/src/main.js where `startsWith()` function is used to check whether user provided input contain forbidden strings. ### PoC #### Steps to reproduce 1. Install latest version of convict using `npm install` or cloning from git 2. Run the following code snippet: ```javascript String.prototype.startsWith = () => false; const convict = require('convict'); let obj = {}; const config = convict(obj); console.log({}.polluted); config.set('constructor.prototype.polluted', 'yes'); console.log({}.polluted); // prints yes -> the patch is bypassed and prototype pollution occurred ``` #### Expected behavior Prototype pollution should be prevented and {} should not gain new properties. This should be printed on the console: ``` undefined undefined OR throw an Error ``` #### Actual behavior `Object.prototype` is polluted This is printed on the console: ``` undefined yes ``` ### Impact This is a prototype pollution vulnerability, which can have severe security implications depending on how convict is used by downstream applications. Any application that processes attacker-controlled input using `convict.set` may be affected. It could potentially lead to the following problems: 1. Authentication bypass 2. Denial of service 3. Remote code execution (if polluted property is passed to sinks like eval or child_process) | |
| CVE-2026-33863 | cri | 0.59 | — | — | Mar 26, 2026 | ### Impact Two unguarded prototype pollution paths exist, not covered by previous fixes: 1. `config.load()` / `config.loadFile()` — `overlay()` recursively merges config data without checking for forbidden keys. Input containing` __proto__` or `constructor.prototype` (e.g. from a JSON file) causes the recursion to reach `Object.prototype` and write attacker-controlled values onto it. 2. Schema initialization — passing a schema with `constructor.prototype.*` keys to `convict({...})` causes default-value propagation to write directly to `Object.prototype` at startup. Depending on how polluted properties are consumed, impact ranges from unexpected behavior to authentication bypass or RCE. ### Workarounds Do not pass untrusted data to load(), loadFile(), or convict(). ### Resources Prior advisory: [GHSA-44fc-8fm5-q62h](https://github.com/mozilla/node-convict/security/advisories/GHSA-44fc-8fm5-q62h) Related issue: [https://github.com/mozilla/node-convict/issues/423](https://github.com/mozilla/node-convict/issues/423) |