<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Convict - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/convict/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 02 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/convict/feed.xml" rel="self" type="application/rss+xml"/><item><title>Convict NPM Package Prototype Pollution Vulnerability</title><link>https://feed.craftedsignal.io/briefs/2024-01-convict-prototype-pollution/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-convict-prototype-pollution/</guid><description>The `convict` npm package is vulnerable to prototype pollution via the `load()`, `loadFile()`, and schema initialization functions, allowing attackers to overwrite properties on `Object.prototype` by supplying malicious input, potentially leading to unexpected behavior, authentication bypass, or remote code execution, affecting versions 6.2.4 and earlier.</description><content:encoded><![CDATA[<p>The <code>convict</code> npm package, versions 6.2.4 and earlier, contains a prototype pollution vulnerability that can be exploited through multiple attack vectors. Two primary paths have been identified: configuration loading via <code>config.load()</code> or <code>config.loadFile()</code>, where recursive merging of configuration data fails to sanitize input keys, and schema initialization, where crafting a schema with malicious <code>constructor.prototype.*</code> keys allows for direct writes to <code>Object.prototype</code> during application startup. Successful exploitation allows attackers to inject or modify properties on the <code>Object.prototype</code>, potentially leading to critical consequences such as authentication bypass or remote code execution. This vulnerability arises from insufficient input validation when processing configuration data. Defenders need to ensure that they are not passing untrusted data into <code>convict</code>'s <code>load</code>, <code>loadFile</code> or schema initialization methods.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker identifies a vulnerable application using the <code>convict</code> npm package version 6.2.4 or earlier.</li>
<li>The attacker crafts a malicious JSON configuration file containing <code>__proto__</code> or <code>constructor.prototype</code> keys with attacker-controlled values.</li>
<li>The attacker injects this malicious JSON data into the application, potentially through a file upload, API endpoint, or other data input mechanisms.</li>
<li>The application calls <code>config.load()</code> or <code>config.loadFile()</code> with the attacker-controlled JSON data.</li>
<li>The <code>overlay()</code> function recursively merges the attacker-provided data with the existing configuration.</li>
<li>Due to the lack of input validation, the recursion reaches <code>Object.prototype</code>.</li>
<li>The attacker's malicious values are written to <code>Object.prototype</code>, polluting the prototype.</li>
<li>Depending on how the polluted properties are consumed by the application, this can lead to unexpected behavior, authentication bypass, or remote code execution.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability allows attackers to inject or modify properties on the <code>Object.prototype</code>, potentially leading to unexpected behavior, authentication bypass, or remote code execution. The impact of this vulnerability depends heavily on how the application utilizes properties of <code>Object.prototype</code>. Given the widespread use of <code>convict</code> for configuration management in Node.js applications, a successful attack could compromise numerous systems across various sectors.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade the <code>convict</code> npm package to a version greater than 6.2.4 to remediate CVE-2026-33863.</li>
<li>Implement strict input validation to sanitize data before passing it to <code>load()</code>, <code>loadFile()</code>, or <code>convict({...})</code>, as described in the advisory.</li>
<li>Deploy the Sigma rule to detect attempts to write to <code>Object.prototype</code> via configuration files in web server logs.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>prototype-pollution</category><category>npm</category><category>convict</category></item></channel></rss>