A prototype pollution vulnerability exists in the latest version of the convict npm package (6.2.4). Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input started with a forbidden key, it is still possible to pollute Object.prototype via a crafted input using String.prototype.
Two unguarded prototype pollution paths exist, not covered by previous fixes: config.load() / config.loadFile() — overlay() recursively merges config data without checking for forbidden keys. Input containing proto or constructor.prototype (e.g. from a JSON file) causes the recursion to reach Object.prototype and write attacker-controlled values onto it. Schema initialization — passing a schema with constructor.prototype.* keys to convict({…}) causes default-value propagation to write directly to Object.prototype at startup. Depending on …
This advisory duplicates another.
An attacker can inject attributes that are used in other components An attacker can override existing attributes with ones that have incompatible type, which may lead to a crash. The main use case of Convict is for handling server-side configurations written by the admins owning the servers, and not random users. So it's unlikely that an admin would deliberately sabotage their own server. Still a situation can happen where an …
This affects the package convict before 6.2.3. This is a bypass of CVE-2022-22143 introduced, relies on the startsWith method and does not prevent the vulnerability: before splitting the path, it checks if it starts with proto or this.constructor.prototype. To bypass this check it's possible to prepend the dangerous paths with any string value followed by a dot, like for example foo.proto or foo.this.constructor.prototype.
The package convict before 6.2.2 is vulnerable to Prototype Pollution via the convict function due to missing validation of parentKey. Note: This vulnerability derives from an incomplete fix of another vulnerability
This advisory duplicates another.