CVE-2023-0163: convict vulnerable to Prototype Pollution
(updated )
- An attacker can inject attributes that are used in other components
- An attacker can override existing attributes with ones that have incompatible type, which may lead to a crash.
The main use case of Convict is for handling server-side configurations written by the admins owning the servers, and not random users. So it’s unlikely that an admin would deliberately sabotage their own server. Still a situation can happen where an admin not knowledgeable about JavaScript could be tricked by an attacker into writing the malicious JavaScript code into some config files.
References
- github.com/advisories/GHSA-4jrm-c32x-w4jf
- github.com/mozilla/node-convict
- github.com/mozilla/node-convict/commit/fb602fbe1e9f14f2e88ecb8179d0f76466d21ecb
- github.com/mozilla/node-convict/issues/410
- github.com/mozilla/node-convict/security/advisories/GHSA-4jrm-c32x-w4jf
- nvd.nist.gov/vuln/detail/CVE-2023-0163
Detect and mitigate CVE-2023-0163 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →