Duplicate
This advisory duplicates another.
Advisories for Npm/Convict package
2023
convict vulnerable to Prototype Pollution
An attacker can inject attributes that are used in other components An attacker can override existing attributes with ones that have incompatible type, which may lead to a crash. The main use case of Convict is for handling server-side configurations written by the admins owning the servers, and not random users. So it's unlikely that an admin would deliberately sabotage their own server. Still a situation can happen where an …
2022
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
This affects the package convict before 6.2.3. This is a bypass of CVE-2022-22143 introduced, relies on the startsWith method and does not prevent the vulnerability: before splitting the path, it checks if it starts with proto or this.constructor.prototype. To bypass this check it's possible to prepend the dangerous paths with any string value followed by a dot, like for example foo.proto or foo.this.constructor.prototype.
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
The package convict before 6.2.2 is vulnerable to Prototype Pollution via the convict function due to missing validation of parentKey. Note: This vulnerability derives from an incomplete fix of another vulnerability
Duplicate
This advisory duplicates another.