Skip to main content

Node.js CVE-2026-33863

CRITICAL
Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) (CWE-1321)
2026-03-26 https://github.com/mozilla/node-convict
Share

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 26, 2026 - 19:00 vuln.today
CVE Published
Mar 26, 2026 - 18:50 nvd
CRITICAL

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 969 npm packages depend on convict (213 direct, 760 indirect)

Ecosystem-wide dependent count for version 6.2.5.

DescriptionCVE.org

Impact

Two unguarded prototype pollution paths exist, not covered by previous fixes:

  1. config.load() / config.loadFile() - overlay() recursively merges config data without checking for forbidden keys. Input containing __proto__ or constructor.prototype (e.g. from a JSON file) causes the recursion to reach Object.prototype and write attacker-controlled values onto it.
  2. Schema initialization - passing a schema with constructor.prototype.* keys to convict({...}) causes default-value propagation to write directly to Object.prototype at startup.

Depending on how polluted properties are consumed, impact ranges from unexpected behavior to authentication bypass or RCE.

Workarounds

Do not pass untrusted data to load(), loadFile(), or convict().

Resources

Prior advisory: GHSA-44fc-8fm5-q62h Related issue: https://github.com/mozilla/node-convict/issues/423

AnalysisAI

Prototype pollution in Mozilla's node-convict configuration library allows attackers to inject properties into Object.prototype via two unguarded code paths: config.load()/loadFile() methods that fail to filter forbidden keys during recursive merge operations, and schema initialization accepting constructor.prototype.* keys during default-value propagation. Applications using node-convict (pkg:npm/convict) that process untrusted configuration data face impacts ranging from authentication bypass to remote code execution depending on how polluted properties propagate through the application. This represents an incomplete fix for prior prototype pollution issues (GHSA-44fc-8fm5-q62h), with no public exploit identified at time of analysis.

Technical ContextAI

The vulnerability affects Mozilla's node-convict library (CPE: pkg:npm/convict), a configuration management module for Node.js applications that validates and loads configuration from various sources including JSON files and environment variables. The root cause is CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes, commonly known as prototype pollution), where the overlay() function recursively merges configuration objects without sanitizing keys like __proto__ or constructor.prototype. JavaScript's prototype chain allows modifications to Object.prototype to propagate globally, enabling attackers to inject properties that affect all objects. The vulnerability bypasses earlier security patches documented in GHSA-44fc-8fm5-q62h, exposing two distinct attack vectors: runtime configuration loading via load()/loadFile() methods and schema initialization during convict() constructor invocation.

RemediationAI

Upgrade to the patched version of node-convict specified in the vendor security advisory at https://github.com/mozilla/node-convict/security/advisories/GHSA-hf2r-9gf9-rwch (exact version number not provided in available intelligence data). As an interim workaround until patching is completed, implement strict input validation to reject configuration data from untrusted sources passed to load(), loadFile(), or convict() constructor methods. Specifically, sanitize or reject any configuration objects containing __proto__, constructor, or prototype keys before processing. Review application architecture to ensure configuration loading occurs only from trusted, controlled sources rather than user-supplied files or external APIs. For defense-in-depth, consider using Object.freeze(Object.prototype) at application startup to prevent prototype modifications, though this may break legitimate application functionality and should be tested thoroughly. Consult the prior advisory GHSA-44fc-8fm5-q62h at https://github.com/mozilla/node-convict/security/advisories/GHSA-44fc-8fm5-q62h for additional context on related prototype pollution patterns in this library.

CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2014-7205 CRITICAL POC
10.0 Oct 08

Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2017-14849 HIGH POC
7.5 Sep 28

Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc

CVE-2017-5941 CRITICAL POC
9.8 Feb 09

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner

CVE-2014-3744 HIGH POC
7.5 Oct 23

Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi

CVE-2014-9566 HIGH POC
7.5 Mar 10

Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin

CVE-2013-4660 MEDIUM POC
6.8 Jun 28

The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic

CVE-2015-5688 MEDIUM POC
5.0 Sep 04

Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2014-7192 CRITICAL POC
10.0 Dec 11

Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat

CVE-2013-4450 MEDIUM POC
5.0 Oct 21

The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se

Share

CVE-2026-33863 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy