Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS1qamY1LXd4M2otM2Z2N84AATH2

Critical EPSS: 0.00633% (0.69516 Percentile) EPSS:
Permalink JSON

Prototype Pollution in convict

Affected Packages Affected Versions Fixed Versions
npm:convict
PURL: pkg:npm/convict
< 6.2.3 6.2.3
489 Dependent packages
2,529 Dependent repositories
3,150,781 Downloads last month

Affected Version Ranges

All affected versions

0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6, 0.1.0, 0.1.1, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.5.0, 0.5.1, 0.6.0, 0.6.1, 0.7.0, 0.8.0, 0.8.1, 0.8.2, 1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.2.0, 1.3.0, 1.4.0, 1.5.0, 2.0.0, 3.0.0, 4.0.0, 4.0.1, 4.0.2, 4.1.0, 4.2.0, 4.3.0, 4.3.1, 4.3.2, 4.4.0, 4.4.1, 5.0.0, 5.1.0, 5.2.0, 5.2.1, 6.0.0, 6.0.1, 6.1.0, 6.2.0, 6.2.1, 6.2.2

All unaffected versions

6.2.3, 6.2.4

This affects the package convict before 6.2.3. This is a bypass of CVE-2022-22143. The fix introduced, relies on the startsWith method and does not prevent the vulnerability: before splitting the path, it checks if it starts with proto or this.constructor.prototype. To bypass this check it's possible to prepend the dangerous paths with any string value followed by a dot, like for example foo.proto or foo.this.constructor.prototype.

References:

Identifiers

GHSA-jjf5-wx3j-3fv7

CVE-2022-21190

Risk

Severity

Critical

EPSS

EPSS Percentage: 0.00633

EPSS Percentile: 0.69516

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/mozilla/node-convict

Date and time

Published

over 3 years ago

Updated

over 2 years ago

API

JSON