GHSA-HF2R-9GF9-RWCH Convict has prototype pollution via load(), loadFile(), and schema initialization

Impact Two unguarded prototype pollution paths exist, not covered by previous fixes: 1. config.load / config.loadFile — overlay recursively merges config data without checking for forbidden keys. Input containing proto or constructor.prototype e.g. from a JSON file causes the recursion to reach...

PT-2026-28539

Name of the Vulnerable Software and Affected Versions Convict affected versions not specified Description The software contains two prototype pollution flaws not addressed by prior fixes. The first flaw exists in the config.load and config.loadFile functions, where the overlay function recursivel...

CVE-2023-0163

Improperly Controlled Modification of Object Prototype Attributes 'Prototype Pollution' vulnerability in Mozilla Convict. This allows an attacker to inject attributes that are used in other components, or to override existing attributes with ones that have incompatible type, which may lead to a...

convict 安全漏洞

convict is a featured configuration management library for Node.js. A security vulnerability exists in convict, which stems from improperly controlled modifications to object prototype attributes...

GHSA-JJF5-WX3J-3FV7 Prototype Pollution in convict

This affects the package convict before 6.2.3. This is a bypass of CVE-2022-22143. The fix introduced, relies on the startsWith method and does not prevent the vulnerability: before splitting the path, it checks if it starts with proto or this.constructor.prototype. To bypass this check it's...

convict 安全漏洞

convict is a featured configuration management library for Node.js. A security vulnerability exists in versions prior to convict 6.2.3...

convict 安全漏洞

convict is a featured configuration management library for Node.js. A security vulnerability exists in versions prior to convict 6.2.2, which stems from the lack of parentKey validation and is susceptible to prototype contamination of the convict function...