{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/convict/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["convict"],"_cs_severities":["critical"],"_cs_tags":["prototype-pollution","npm","convict"],"_cs_type":"advisory","_cs_vendors":["Mozilla"],"content_html":"\u003cp\u003eThe \u003ccode\u003econvict\u003c/code\u003e npm package, versions 6.2.4 and earlier, contains a prototype pollution vulnerability that can be exploited through multiple attack vectors. Two primary paths have been identified: configuration loading via \u003ccode\u003econfig.load()\u003c/code\u003e or \u003ccode\u003econfig.loadFile()\u003c/code\u003e, where recursive merging of configuration data fails to sanitize input keys, and schema initialization, where crafting a schema with malicious \u003ccode\u003econstructor.prototype.*\u003c/code\u003e keys allows for direct writes to \u003ccode\u003eObject.prototype\u003c/code\u003e during application startup. Successful exploitation allows attackers to inject or modify properties on the \u003ccode\u003eObject.prototype\u003c/code\u003e, potentially leading to critical consequences such as authentication bypass or remote code execution. This vulnerability arises from insufficient input validation when processing configuration data. Defenders need to ensure that they are not passing untrusted data into \u003ccode\u003econvict\u003c/code\u003e's \u003ccode\u003eload\u003c/code\u003e, \u003ccode\u003eloadFile\u003c/code\u003e or schema initialization methods.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable application using the \u003ccode\u003econvict\u003c/code\u003e npm package version 6.2.4 or earlier.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious JSON configuration file containing \u003ccode\u003e__proto__\u003c/code\u003e or \u003ccode\u003econstructor.prototype\u003c/code\u003e keys with attacker-controlled values.\u003c/li\u003e\n\u003cli\u003eThe attacker injects this malicious JSON data into the application, potentially through a file upload, API endpoint, or other data input mechanisms.\u003c/li\u003e\n\u003cli\u003eThe application calls \u003ccode\u003econfig.load()\u003c/code\u003e or \u003ccode\u003econfig.loadFile()\u003c/code\u003e with the attacker-controlled JSON data.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eoverlay()\u003c/code\u003e function recursively merges the attacker-provided data with the existing configuration.\u003c/li\u003e\n\u003cli\u003eDue to the lack of input validation, the recursion reaches \u003ccode\u003eObject.prototype\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker's malicious values are written to \u003ccode\u003eObject.prototype\u003c/code\u003e, polluting the prototype.\u003c/li\u003e\n\u003cli\u003eDepending on how the polluted properties are consumed by the application, this can lead to unexpected behavior, authentication bypass, or remote code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to inject or modify properties on the \u003ccode\u003eObject.prototype\u003c/code\u003e, potentially leading to unexpected behavior, authentication bypass, or remote code execution. The impact of this vulnerability depends heavily on how the application utilizes properties of \u003ccode\u003eObject.prototype\u003c/code\u003e. Given the widespread use of \u003ccode\u003econvict\u003c/code\u003e for configuration management in Node.js applications, a successful attack could compromise numerous systems across various sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003econvict\u003c/code\u003e npm package to a version greater than 6.2.4 to remediate CVE-2026-33863.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation to sanitize data before passing it to \u003ccode\u003eload()\u003c/code\u003e, \u003ccode\u003eloadFile()\u003c/code\u003e, or \u003ccode\u003econvict({...})\u003c/code\u003e, as described in the advisory.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect attempts to write to \u003ccode\u003eObject.prototype\u003c/code\u003e via configuration files in web server logs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-convict-prototype-pollution/","summary":"The `convict` npm package is vulnerable to prototype pollution via the `load()`, `loadFile()`, and schema initialization functions, allowing attackers to overwrite properties on `Object.prototype` by supplying malicious input, potentially leading to unexpected behavior, authentication bypass, or remote code execution, affecting versions 6.2.4 and earlier.","title":"Convict NPM Package Prototype Pollution Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-convict-prototype-pollution/"}],"language":"en","title":"CraftedSignal Threat Feed - Convict","version":"https://jsonfeed.org/version/1.1"}