3 matches found
CVE-2022-22143
CVE-2022-22143 is a Prototype Pollution flaw in the convict package before 6.2.3. The fix for a related issue was incomplete, enabling pollution through convict’s path handling (parentKey) and bypasses that rely on startsWith; attackers can inject or override attributes, potentially causing crash...
CVE-2022-21190
CVE-2022-21190 affects convict before 6.2.3. The issue is a prototype pollution bypass tied to CVE-2022-22143: the fix that uses startsWith to block dangerous paths does not fully prevent pollution because attackers can prepend paths (e.g., foo.proto ) to bypass the check. Public sources (includi...
CVE-2023-0163
CVE-2023-0163 applies to Mozilla Convict prior to 6.2.4, describing a prototype pollution flaw that allows an attacker to modify object prototype attributes or inject attributes used elsewhere, potentially leading to a crash. The vulnerability affects server-side configuration handling by admins ...