GHSA-44FC-8FM5-Q62H Convict has Prototype Pollution via startsWith() function

Summary A prototype pollution vulnerability exists in the latest version of the convict npm package 6.2.4. Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input started with a forbidden key, it is still possible to pollute Object.prototype via a...

Convict has Prototype Pollution via startsWith() function

Summary A prototype pollution vulnerability exists in the latest version of the convict npm package 6.2.4. Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input started with a forbidden key, it is still possible to pollute Object.prototype via a...

Prototype Pollution

Overview convict is a package that expands on the standard pattern of configuring node.js applications in a way that is more robust and accessible to collaborators, who may have less interest in digging through imperative code in order to inspect or modify settings. By introducing a configuration...

PT-2026-28540

Name of the Vulnerable Software and Affected Versions convict versions 6.2.4 Description A prototype pollution issue exists in the convict npm package. The issue stems from an incomplete fix that attempted to prevent prototype pollution by checking if user input begins with a prohibited key...

Prototype Pollution

Overview convict is a package that expands on the standard pattern of configuring node.js applications in a way that is more robust and accessible to collaborators, who may have less interest in digging through imperative code in order to inspect or modify settings. By introducing a configuration...

EUVD-2022-1861

Malicious code in bioql PyPI...

EUVD-2022-4383

Malicious code in bioql PyPI...

Prototype Pollution in convict

This affects the package convict before 6.2.3. This is a bypass of CVE-2022-22143. The fix introduced, relies on the startsWith method and does not prevent the vulnerability: before splitting the path, it checks if it starts with proto or this.constructor.prototype. To bypass this check it's...

CVE-2022-21190 Prototype Pollution

This affects the package convict before 6.2.3. This is a bypass of CVE-2022-22143. The fix introduced, relies on the startsWith method and does not prevent the vulnerability: before splitting the path, it checks if it starts with proto or this.constructor.prototype. To bypass this check it's...

CVE-2022-22143

The package convict before 6.2.2 are vulnerable to Prototype Pollution via the convict function due to missing validation of parentKey. Note: This vulnerability derives from an incomplete fix of another vulnerability...

Prototype Pollution

Overview convict is a package that expands on the standard pattern of configuring node.js applications in a way that is more robust and accessible to collaborators, who may have less interest in digging through imperative code in order to inspect or modify settings. By introducing a configuration...

Prototype Pollution in mozilla/node-convict

Description convict is vulnerable to Prototype Pollution. This package allowing for modification of prototype behavior, which may result in Information Disclosure/DoS/RCE. Proof of Concept 1. Create the following PoC file: js // poc.js var convict = require"convict"; var obj = ; var config =...