GHSA-HF2R-9GF9-RWCH

Vulnerability from github – Published: 2026-03-26 18:50 – Updated: 2026-03-26 18:50
VLAI
Summary
Convict has prototype pollution via load(), loadFile(), and schema initialization
Details

Impact

Two unguarded prototype pollution paths exist, not covered by previous fixes:

  1. config.load() / config.loadFile()overlay() recursively merges config data without checking for forbidden keys. Input containing__proto__ or constructor.prototype (e.g. from a JSON file) causes the recursion to reach Object.prototype and write attacker-controlled values onto it.
  2. Schema initialization — passing a schema with constructor.prototype.* keys to convict({...}) causes default-value propagation to write directly to Object.prototype at startup.

Depending on how polluted properties are consumed, impact ranges from unexpected behavior to authentication bypass or RCE.

Workarounds

Do not pass untrusted data to load(), loadFile(), or convict().

Resources

Prior advisory: GHSA-44fc-8fm5-q62h Related issue: https://github.com/mozilla/node-convict/issues/423

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 6.2.4"
      },
      "package": {
        "ecosystem": "npm",
        "name": "convict"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.2.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33863"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-26T18:50:33Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "### Impact\nTwo unguarded prototype pollution paths exist, not covered by previous fixes:\n\n1. `config.load()` / `config.loadFile()` \u2014 `overlay()` recursively merges config data without checking for forbidden keys. Input containing` __proto__` or `constructor.prototype` (e.g. from a JSON file) causes the recursion to reach `Object.prototype` and write attacker-controlled values onto it.\n2. Schema initialization \u2014 passing a schema with `constructor.prototype.*` keys to `convict({...})` causes default-value propagation to write directly to `Object.prototype` at startup.\n\nDepending on how polluted properties are consumed, impact ranges from unexpected behavior to authentication bypass or RCE.\n\n### Workarounds\nDo not pass untrusted data to load(), loadFile(), or convict().\n\n### Resources\nPrior advisory: [GHSA-44fc-8fm5-q62h](https://github.com/mozilla/node-convict/security/advisories/GHSA-44fc-8fm5-q62h)\nRelated issue: [https://github.com/mozilla/node-convict/issues/423](https://github.com/mozilla/node-convict/issues/423)",
  "id": "GHSA-hf2r-9gf9-rwch",
  "modified": "2026-03-26T18:50:34Z",
  "published": "2026-03-26T18:50:33Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/mozilla/node-convict/security/advisories/GHSA-44fc-8fm5-q62h"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mozilla/node-convict/security/advisories/GHSA-hf2r-9gf9-rwch"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mozilla/node-convict/issues/423"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mozilla/node-convict"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Convict has prototype pollution via load(), loadFile(), and schema initialization"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…