CVE-2022-21803: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

April 13, 2022 (updated April 22, 2022)

This affects the package nconf before 0.11.4. When using the memory engine, it is possible to store a nested JSON representation of the configuration. The .set() function, that is responsible for setting the configuration properties, is vulnerable to Prototype Pollution. By providing a crafted property, it is possible to modify the properties on the Object.prototype.

References

github.com/advisories/GHSA-6xwr-q98w-rvg7
github.com/indexzero/nconf/pull/397
github.com/indexzero/nconf/releases/tag/v0.11.4
nvd.nist.gov/vuln/detail/CVE-2022-21803
snyk.io/vuln/SNYK-JS-NCONF-2395478

Detect and mitigate CVE-2022-21803 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →