CVE
CVE-2026-33863
Convict has prototype pollution via load(), loadFile(), and schema initialization
Impact
Two unguarded prototype pollution paths exist, not covered by previous fixes:
config.load()/config.loadFile()—overlay()recursively merges config data without checking for forbidden keys. Input containingprotoorconstructor.prototype(e.g. from a JSON file) causes the recursion to reachObject.prototypeand write attacker-controlled values onto it.- Schema initialization — passing a schema with
constructor.prototype.*keys toconvict({...})causes default-value propagation to write directly toObject.prototypeat startup.
Depending on how polluted properties are consumed, impact ranges from unexpected behavior to authentication bypass or RCE.
Workarounds
Do not pass untrusted data to load(), loadFile(), or convict().
Resources
Prior advisory: GHSA-44fc-8fm5-q62h
Related issue: https://github.com/mozilla/node-convict/issues/423
Package Versions Affected
Package Version
patch Availability
No items found.
Automatically patch vulnerabilities without upgrading
Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request
CVSS Version
Severity
Base Score
CVSS Version
Score Vector
C
H
U
-
C
H
U
0
-
C
H
U
-
Related Resources
No items found.
References
https://github.com/mozilla/node-convict/security/advisories/GHSA-44fc-8fm5-q62h, https://github.com/mozilla/node-convict/security/advisories/GHSA-hf2r-9gf9-rwch, https://github.com/mozilla/node-convict/issues/423, https://github.com/mozilla/node-convict
Basic Information
Ecosystem
