GHSA-HF2R-9GF9-RWCH
Vulnerability from github – Published: 2026-03-26 18:50 – Updated: 2026-03-26 18:50
VLAI
Summary
Convict has prototype pollution via load(), loadFile(), and schema initialization
Details
Impact
Two unguarded prototype pollution paths exist, not covered by previous fixes:
config.load()/config.loadFile()—overlay()recursively merges config data without checking for forbidden keys. Input containing__proto__orconstructor.prototype(e.g. from a JSON file) causes the recursion to reachObject.prototypeand write attacker-controlled values onto it.- Schema initialization — passing a schema with
constructor.prototype.*keys toconvict({...})causes default-value propagation to write directly toObject.prototypeat startup.
Depending on how polluted properties are consumed, impact ranges from unexpected behavior to authentication bypass or RCE.
Workarounds
Do not pass untrusted data to load(), loadFile(), or convict().
Resources
Prior advisory: GHSA-44fc-8fm5-q62h Related issue: https://github.com/mozilla/node-convict/issues/423
Severity
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.2.4"
},
"package": {
"ecosystem": "npm",
"name": "convict"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.2.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33863"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-26T18:50:33Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "### Impact\nTwo unguarded prototype pollution paths exist, not covered by previous fixes:\n\n1. `config.load()` / `config.loadFile()` \u2014 `overlay()` recursively merges config data without checking for forbidden keys. Input containing` __proto__` or `constructor.prototype` (e.g. from a JSON file) causes the recursion to reach `Object.prototype` and write attacker-controlled values onto it.\n2. Schema initialization \u2014 passing a schema with `constructor.prototype.*` keys to `convict({...})` causes default-value propagation to write directly to `Object.prototype` at startup.\n\nDepending on how polluted properties are consumed, impact ranges from unexpected behavior to authentication bypass or RCE.\n\n### Workarounds\nDo not pass untrusted data to load(), loadFile(), or convict().\n\n### Resources\nPrior advisory: [GHSA-44fc-8fm5-q62h](https://github.com/mozilla/node-convict/security/advisories/GHSA-44fc-8fm5-q62h)\nRelated issue: [https://github.com/mozilla/node-convict/issues/423](https://github.com/mozilla/node-convict/issues/423)",
"id": "GHSA-hf2r-9gf9-rwch",
"modified": "2026-03-26T18:50:34Z",
"published": "2026-03-26T18:50:33Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/mozilla/node-convict/security/advisories/GHSA-44fc-8fm5-q62h"
},
{
"type": "WEB",
"url": "https://github.com/mozilla/node-convict/security/advisories/GHSA-hf2r-9gf9-rwch"
},
{
"type": "WEB",
"url": "https://github.com/mozilla/node-convict/issues/423"
},
{
"type": "PACKAGE",
"url": "https://github.com/mozilla/node-convict"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"type": "CVSS_V4"
}
],
"summary": "Convict has prototype pollution via load(), loadFile(), and schema initialization"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…