Convict NPM Package Prototype Pollution Vulnerability
The `convict` npm package is vulnerable to prototype pollution via the `load()`, `loadFile()`, and schema initialization functions, allowing attackers to overwrite properties on `Object.prototype` by supplying malicious input, potentially leading to unexpected behavior, authentication bypass, or remote code execution, affecting versions 6.2.4 and earlier.
The convict npm package, versions 6.2.4 and earlier, contains a prototype pollution vulnerability that can be exploited through multiple attack vectors. Two primary paths have been identified: configuration loading via config.load() or config.loadFile(), where recursive merging of configuration data fails to sanitize input keys, and schema initialization, where crafting a schema with malicious constructor.prototype.* keys allows for direct writes to Object.prototype during application startup. Successful exploitation allows attackers to inject or modify properties on the Object.prototype, potentially leading to critical consequences such as authentication bypass or remote code execution. This vulnerability arises from insufficient input validation when processing configuration data. Defenders need to ensure that they are not passing untrusted data into convict's load, loadFile or schema initialization methods.
Attack Chain
- An attacker identifies a vulnerable application using the
convictnpm package version 6.2.4 or earlier. - The attacker crafts a malicious JSON configuration file containing
__proto__orconstructor.prototypekeys with attacker-controlled values. - The attacker injects this malicious JSON data into the application, potentially through a file upload, API endpoint, or other data input mechanisms.
- The application calls
config.load()orconfig.loadFile()with the attacker-controlled JSON data. - The
overlay()function recursively merges the attacker-provided data with the existing configuration. - Due to the lack of input validation, the recursion reaches
Object.prototype. - The attacker's malicious values are written to
Object.prototype, polluting the prototype. - Depending on how the polluted properties are consumed by the application, this can lead to unexpected behavior, authentication bypass, or remote code execution.
Impact
Successful exploitation of this vulnerability allows attackers to inject or modify properties on the Object.prototype, potentially leading to unexpected behavior, authentication bypass, or remote code execution. The impact of this vulnerability depends heavily on how the application utilizes properties of Object.prototype. Given the widespread use of convict for configuration management in Node.js applications, a successful attack could compromise numerous systems across various sectors.
Recommendation
- Upgrade the
convictnpm package to a version greater than 6.2.4 to remediate CVE-2026-33863. - Implement strict input validation to sanitize data before passing it to
load(),loadFile(), orconvict({...}), as described in the advisory. - Deploy the Sigma rule to detect attempts to write to
Object.prototypevia configuration files in web server logs.
Detection coverage 2
Detect Prototype Pollution via Config File Upload
highDetects attempts to exploit prototype pollution vulnerabilities by identifying configuration file uploads containing `__proto__` or `constructor.prototype` in web server logs.
Detect Prototype Pollution Attempt via process arguments
highDetects possible prototype pollution attempts based on process arguments.
Detection queries are available on the platform. Get full rules →