Two unguarded prototype pollution paths exist, not covered by previous fixes:
config.load() / config.loadFile() — overlay() recursively merges config data without checking for forbidden keys. Input containing__proto__ or constructor.prototype (e.g. from a JSON file) causes the recursion to reach Object.prototype and write attacker-controlled values onto it.constructor.prototype.* keys to convict({...}) causes default-value propagation to write directly to Object.prototype at startup.Depending on how polluted properties are consumed, impact ranges from unexpected behavior to authentication bypass or RCE.
Do not pass untrusted data to load(), loadFile(), or convict().
Prior advisory: GHSA-44fc-8fm5-q62h
Related issue: https://github.com/mozilla/node-convict/issues/423
No EPSS score in this advisory JSON.
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 9.4 | 4.0 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-hf2r-9gf9-rwch ↗ |
| CVE | CVE-2026-33863 ↗ |
| CWE id | Name |
|---|---|
| CWE-1321 | Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| npm | convict | <= 6.2.4 | 6.2.5 | — |