Node.js CVE-2026-33863
CRITICALLifecycle Timeline
3Blast Radius
ecosystem impact- 969 npm packages depend on convict (213 direct, 760 indirect)
Ecosystem-wide dependent count for version 6.2.5.
DescriptionCVE.org
Impact
Two unguarded prototype pollution paths exist, not covered by previous fixes:
config.load()/config.loadFile()-overlay()recursively merges config data without checking for forbidden keys. Input containing__proto__orconstructor.prototype(e.g. from a JSON file) causes the recursion to reachObject.prototypeand write attacker-controlled values onto it.- Schema initialization - passing a schema with
constructor.prototype.*keys toconvict({...})causes default-value propagation to write directly toObject.prototypeat startup.
Depending on how polluted properties are consumed, impact ranges from unexpected behavior to authentication bypass or RCE.
Workarounds
Do not pass untrusted data to load(), loadFile(), or convict().
Resources
Prior advisory: GHSA-44fc-8fm5-q62h Related issue: https://github.com/mozilla/node-convict/issues/423
AnalysisAI
Prototype pollution in Mozilla's node-convict configuration library allows attackers to inject properties into Object.prototype via two unguarded code paths: config.load()/loadFile() methods that fail to filter forbidden keys during recursive merge operations, and schema initialization accepting constructor.prototype.* keys during default-value propagation. Applications using node-convict (pkg:npm/convict) that process untrusted configuration data face impacts ranging from authentication bypass to remote code execution depending on how polluted properties propagate through the application. This represents an incomplete fix for prior prototype pollution issues (GHSA-44fc-8fm5-q62h), with no public exploit identified at time of analysis.
Technical ContextAI
The vulnerability affects Mozilla's node-convict library (CPE: pkg:npm/convict), a configuration management module for Node.js applications that validates and loads configuration from various sources including JSON files and environment variables. The root cause is CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes, commonly known as prototype pollution), where the overlay() function recursively merges configuration objects without sanitizing keys like __proto__ or constructor.prototype. JavaScript's prototype chain allows modifications to Object.prototype to propagate globally, enabling attackers to inject properties that affect all objects. The vulnerability bypasses earlier security patches documented in GHSA-44fc-8fm5-q62h, exposing two distinct attack vectors: runtime configuration loading via load()/loadFile() methods and schema initialization during convict() constructor invocation.
RemediationAI
Upgrade to the patched version of node-convict specified in the vendor security advisory at https://github.com/mozilla/node-convict/security/advisories/GHSA-hf2r-9gf9-rwch (exact version number not provided in available intelligence data). As an interim workaround until patching is completed, implement strict input validation to reject configuration data from untrusted sources passed to load(), loadFile(), or convict() constructor methods. Specifically, sanitize or reject any configuration objects containing __proto__, constructor, or prototype keys before processing. Review application architecture to ensure configuration loading occurs only from trusted, controlled sources rather than user-supplied files or external APIs. For defense-in-depth, consider using Object.freeze(Object.prototype) at application startup to prevent prototype modifications, though this may break legitimate application functionality and should be tested thoroughly. Consult the prior advisory GHSA-44fc-8fm5-q62h at https://github.com/mozilla/node-convict/security/advisories/GHSA-44fc-8fm5-q62h for additional context on related prototype pollution patterns in this library.
FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote
Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t
Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete
Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc
An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner
Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi
Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin
The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic
Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat
The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se
Share
External POC / Exploit Code
Leaving vuln.today