GHSA-hf2r-9gf9-rwch
Suggest an improvement- Source
- https://github.com/advisories/GHSA-hf2r-9gf9-rwch
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-hf2r-9gf9-rwch/GHSA-hf2r-9gf9-rwch.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-hf2r-9gf9-rwch
- Aliases
-
- CVE-2026-33863
- Published
- 2026-03-26T18:50:33Z
- Modified
- 2026-03-26T19:02:47.500634Z
- Severity
-
- 9.4 (Critical) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H CVSS Calculator
- Summary
- Convict has prototype pollution via load(), loadFile(), and schema initialization
- Details
-
Impact
Two unguarded prototype pollution paths exist, not covered by previous fixes:
config.load()/config.loadFile()—overlay()recursively merges config data without checking for forbidden keys. Input containing__proto__orconstructor.prototype(e.g. from a JSON file) causes the recursion to reachObject.prototypeand write attacker-controlled values onto it.- Schema initialization — passing a schema with
constructor.prototype.*keys toconvict({...})causes default-value propagation to write directly toObject.prototypeat startup.
Depending on how polluted properties are consumed, impact ranges from unexpected behavior to authentication bypass or RCE.
Workarounds
Do not pass untrusted data to load(), loadFile(), or convict().
Resources
Prior advisory: GHSA-44fc-8fm5-q62h Related issue: https://github.com/mozilla/node-convict/issues/423
- Database specific
{ "nvd_published_at": null, "severity": "CRITICAL", "github_reviewed": true, "cwe_ids": [ "CWE-1321" ], "github_reviewed_at": "2026-03-26T18:50:33Z" }- References
Affected packages
npm / convict
Package
- Name
- convict
- View open source insights on deps.dev
- Purl
- pkg:npm/convict