Which versions of Node.js are affected by CVE-2026-33863?

Mozilla's node-convict configuration library contains a prototype pollution vulnerability that allows remote attackers to inject malicious properties into core application objects through untrusted…. A patch is available.

Node.js CVE-2026-33863

CRITICAL

Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) (CWE-1321)

2026-03-26 https://github.com/mozilla/node-convict

Authentication Bypass RCE Node.js Mozilla Prototype Pollution

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 26, 2026 - 19:00 vuln.today

CVE Published

Mar 26, 2026 - 18:50 nvd

CRITICAL

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

933 npm packages depend on convict (210 direct, 727 indirect)

Ecosystem-wide dependent count for version 6.2.5.

DescriptionNVD

Impact

Two unguarded prototype pollution paths exist, not covered by previous fixes:

config.load() / config.loadFile() - overlay() recursively merges config data without checking for forbidden keys. Input containing __proto__ or constructor.prototype (e.g. from a JSON file) causes the recursion to reach Object.prototype and write attacker-controlled values onto it.
Schema initialization - passing a schema with constructor.prototype.* keys to convict({...}) causes default-value propagation to write directly to Object.prototype at startup.

Depending on how polluted properties are consumed, impact ranges from unexpected behavior to authentication bypass or RCE.

Workarounds

Do not pass untrusted data to load(), loadFile(), or convict().

Resources

Prior advisory: GHSA-44fc-8fm5-q62h Related issue: https://github.com/mozilla/node-convict/issues/423

AnalysisAI

Prototype pollution in Mozilla's node-convict configuration library allows attackers to inject properties into Object.prototype via two unguarded code paths: config.load()/loadFile() methods that fail to filter forbidden keys during recursive merge operations, and schema initialization accepting constructor.prototype.* keys during default-value propagation. Applications using node-convict (pkg:npm/convict) that process untrusted configuration data face impacts ranging from authentication bypass to remote code execution depending on how polluted properties propagate through the application. …

RemediationAI

Within 24 hours: Identify all applications using npm package 'convict' (any version) by auditing package.json and dependency trees across your portfolio; document affected systems and their exposure to untrusted configuration sources. Within 7 days: Implement input validation on all configuration sources feeding into convict.load()/loadFile() methods; disable convict schema initialization from untrusted sources where feasible. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

More from same product – last 7 days

CVE-2026-44739 HIGH This Week

8.7 May 27

SQL injection in Pimcore's CustomReportsBundle (versions ≤ 12.3.5) lets an authenticated user holding the reports_config

CVE-2026-33863 vulnerability details – vuln.today

Back