CVE-2026-33864: Convict has Prototype Pollution via startsWith() function

March 26, 2026

A prototype pollution vulnerability exists in the latest version of the convict npm package (6.2.4). Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input started with a forbidden key, it is still possible to pollute Object.prototype via a crafted input using String.prototype.

References

github.com/advisories/GHSA-44fc-8fm5-q62h
github.com/mozilla/node-convict
github.com/mozilla/node-convict/blob/master/packages/convict/src/main.js
github.com/mozilla/node-convict/security/advisories/GHSA-44fc-8fm5-q62h
nvd.nist.gov/vuln/detail/CVE-2026-33864

Code Behaviors & Features

Detect and mitigate CVE-2026-33864 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →