GHSA-44FC-8FM5-Q62H Convict has Prototype Pollution via startsWith() function

Summary A prototype pollution vulnerability exists in the latest version of the convict npm package 6.2.4. Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input started with a forbidden key, it is still possible to pollute Object.prototype via a...

Convict has Prototype Pollution via startsWith() function

Summary A prototype pollution vulnerability exists in the latest version of the convict npm package 6.2.4. Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input started with a forbidden key, it is still possible to pollute Object.prototype via a...

Prototype Pollution

Overview convict is a package that expands on the standard pattern of configuring node.js applications in a way that is more robust and accessible to collaborators, who may have less interest in digging through imperative code in order to inspect or modify settings. By introducing a configuration...

@antora/cli (>=2.3.2 <=3.0.0-alpha.9), @antora/playbook-builder (>=2.3.2 <=3.0.0-alpha.9) +100 more potentially affected by CVE-2026-33863 via convict (>=6.0.0 <=6.2.4)

convict NPM version =6.0.0, =2.3.2, =2.3.2, =2.3.2, =1.6.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.7.0 and more Source cves: CVE-2026-33863 Source advisory: SNYK:JS-CONVICT-15790594...

GHSA-HF2R-9GF9-RWCH Convict has prototype pollution via load(), loadFile(), and schema initialization

Impact Two unguarded prototype pollution paths exist, not covered by previous fixes: 1. config.load / config.loadFile — overlay recursively merges config data without checking for forbidden keys. Input containing proto or constructor.prototype e.g. from a JSON file causes the recursion to reach...

PT-2026-28539

Name of the Vulnerable Software and Affected Versions Convict affected versions not specified Description The software contains two prototype pollution flaws not addressed by prior fixes. The first flaw exists in the config.load and config.loadFile functions, where the overlay function recursivel...

PT-2026-28540

Name of the Vulnerable Software and Affected Versions convict versions 6.2.4 Description A prototype pollution issue exists in the convict npm package. The issue stems from an incomplete fix that attempted to prevent prototype pollution by checking if user input begins with a prohibited key...

CVE-2026-33864

creationtimestamp| type| source ---|---|--- 2026-03-24 15:53:51+00:00| published-proof-of-concept| https://github.com/mozilla/node-convict/security/advisories/GHSA-44fc-8fm5-q62h...

Prototype Pollution

Overview convict is a package that expands on the standard pattern of configuring node.js applications in a way that is more robust and accessible to collaborators, who may have less interest in digging through imperative code in order to inspect or modify settings. By introducing a configuration...

@antora/cli (>=2.3.2 <=3.0.0-alpha.9), @antora/playbook-builder (>=2.3.2 <=3.0.0-alpha.9) +54 more potentially affected by CVE-2026-33864 via convict (>=6.0.0 <=6.2.2)

convict NPM version =6.0.0, =2.3.2, =2.3.2, =2.3.2, =1.6.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.7.0 and more Source cves: CVE-2026-33864 Source advisory: SNYK:JS-CONVICT-15182994...

EUVD-2025-175444

Malicious code in yildun-cors-convict-ursa npm...

EUVD-2025-178162

Malicious code in lacerta-paleobotany-convict-babel npm...

EUVD-2025-179490

Malicious code in cryonics-convict-tectonophysics-interstellarmedium npm...

Malicious code in convict-private-cors-superagent (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ace10051a820256b1feb41cfdb500d090f5eb7eb32135cb711b558c71818aada This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

EUVD-2025-179586

Malicious code in convict-miranda-deimos-astrochemistry npm...

EUVD-2025-179245

Malicious code in draco-convict-carina-superagent npm...

EUVD-2025-179582

Malicious code in convict-thuban-blackhole-chromedriver npm...

MAL-2025-186298 Malicious code in convict-quantum-hermes-enif (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5cf996ad2856885b1746d8ad7f02dbbaf7e4d0f0ead39b1688e7e449f4a6c576 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-186801 Malicious code in equinox-sedna-sequelize-convict (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 49d21c1e2f37e5e821a84eed480f80f27b364ea4e2b3e2b5cc5e1d16499a649a This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

EUVD-2025-179587

Malicious code in convict-axios-cosmogenic-miranda npm...