{"url":"http://public2.vulnerablecode.io/api/packages/541144?format=json","purl":"pkg:npm/convict@0.0.6","type":"npm","namespace":"","name":"convict","version":"0.0.6","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"6.2.5","latest_non_vulnerable_version":"6.2.5","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/22342?format=json","vulnerability_id":"VCID-acwd-z7rp-dugq","summary":"Convict has prototype pollution via load(), loadFile(), and schema initialization\n### Impact\nTwo unguarded prototype pollution paths exist, not covered by previous fixes:\n\n1. `config.load()` / `config.loadFile()` — `overlay()` recursively merges config data without checking for forbidden keys. Input containing` __proto__` or `constructor.prototype` (e.g. from a JSON file) causes the recursion to reach `Object.prototype` and write attacker-controlled values onto it.\n2. Schema initialization — passing a schema with `constructor.prototype.*` keys to `convict({...})` causes default-value propagation to write directly to `Object.prototype` at startup.\n\nDepending on how polluted properties are consumed, impact ranges from unexpected behavior to authentication bypass or RCE.\n\n### Workarounds\nDo not pass untrusted data to load(), loadFile(), or convict().\n\n### Resources\nPrior advisory: [GHSA-44fc-8fm5-q62h](https://github.com/mozilla/node-convict/security/advisories/GHSA-44fc-8fm5-q62h)\nRelated issue: [https://github.com/mozilla/node-convict/issues/423](https://github.com/mozilla/node-convict/issues/423)","references":[{"reference_url":"https://github.com/mozilla/node-convict","reference_id":"","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mozilla/node-convict"},{"reference_url":"https://github.com/mozilla/node-convict/issues/423","reference_id":"","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mozilla/node-convict/issues/423"},{"reference_url":"https://github.com/mozilla/node-convict/security/advisories/GHSA-44fc-8fm5-q62h","reference_id":"","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mozilla/node-convict/security/advisories/GHSA-44fc-8fm5-q62h"},{"reference_url":"https://github.com/mozilla/node-convict/security/advisories/GHSA-hf2r-9gf9-rwch","reference_id":"","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mozilla/node-convict/security/advisories/GHSA-hf2r-9gf9-rwch"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33863","reference_id":"CVE-2026-33863","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33863"},{"reference_url":"https://github.com/advisories/GHSA-hf2r-9gf9-rwch","reference_id":"GHSA-hf2r-9gf9-rwch","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-hf2r-9gf9-rwch"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/57635?format=json","purl":"pkg:npm/convict@6.2.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/convict@6.2.5"}],"aliases":["CVE-2026-33863","GHSA-hf2r-9gf9-rwch"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-acwd-z7rp-dugq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/23356?format=json","vulnerability_id":"VCID-ma5m-yrvz-4fdd","summary":"Convict has Prototype Pollution via startsWith() function\n### Summary\nA prototype pollution vulnerability exists in the latest version of the convict npm package (6.2.4). Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input started with a forbidden key, it is still possible to pollute `Object.prototype` via a crafted input using `String.prototype`. \n\n### Details\nThe vulnerability resides in line 564 of https://github.com/mozilla/node-convict/blob/master/packages/convict/src/main.js where `startsWith()` function is used to check whether user provided input contain forbidden strings. \n\n### PoC\n#### Steps to reproduce\n1. Install latest version of convict using `npm install` or cloning from git\n2. Run the following code snippet:\n\n```javascript\nString.prototype.startsWith = () => false; \nconst convict = require('convict');\nlet obj = {};\nconst config = convict(obj);\nconsole.log({}.polluted);\nconfig.set('constructor.prototype.polluted', 'yes');\nconsole.log({}.polluted);    // prints yes -> the patch is bypassed and prototype pollution occurred\n```\n\n#### Expected behavior\nPrototype pollution should be prevented and {} should not gain new properties.\nThis should be printed on the console:\n```\nundefined\nundefined OR throw an Error\n```\n\n#### Actual behavior\n`Object.prototype` is polluted \nThis is printed on the console:\n```\nundefined \nyes\n```\n\n### Impact\nThis is a prototype pollution vulnerability, which can have severe security implications depending on how convict is used by downstream applications. Any application that processes attacker-controlled input using `convict.set`  may be affected.\nIt could potentially lead to the following problems:\n\n1. Authentication bypass\n2. Denial of service\n3. Remote code execution (if polluted property is passed to sinks like eval or child_process)","references":[{"reference_url":"https://github.com/mozilla/node-convict","reference_id":"","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mozilla/node-convict"},{"reference_url":"https://github.com/mozilla/node-convict/blob/master/packages/convict/src/main.js","reference_id":"","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mozilla/node-convict/blob/master/packages/convict/src/main.js"},{"reference_url":"https://github.com/mozilla/node-convict/security/advisories/GHSA-44fc-8fm5-q62h","reference_id":"","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mozilla/node-convict/security/advisories/GHSA-44fc-8fm5-q62h"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33864","reference_id":"CVE-2026-33864","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33864"},{"reference_url":"https://github.com/advisories/GHSA-44fc-8fm5-q62h","reference_id":"GHSA-44fc-8fm5-q62h","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-44fc-8fm5-q62h"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/57635?format=json","purl":"pkg:npm/convict@6.2.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/convict@6.2.5"}],"aliases":["CVE-2026-33864","GHSA-44fc-8fm5-q62h"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ma5m-yrvz-4fdd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42361?format=json","vulnerability_id":"VCID-s5bq-s46x-nffa","summary":"convict: A Prototype Pollution Vulnerbility in convict","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-21190.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-21190.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-21190","reference_id":"","reference_type":"","scores":[{"value":"0.00668","scoring_system":"epss","scoring_elements":"0.71611","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-21190"},{"reference_url":"https://gist.github.com/dellalibera/cebce20e51410acebff1f46afdc89808","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://gist.github.com/dellalibera/cebce20e51410acebff1f46afdc89808"},{"reference_url":"https://github.com/mozilla/node-convict","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mozilla/node-convict"},{"reference_url":"https://github.com/mozilla/node-convict/blob/3b86be087d8f14681a9c889d45da7fe3ad9cd880/packages/convict/src/main.js%23L571","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mozilla/node-convict/blob/3b86be087d8f14681a9c889d45da7fe3ad9cd880/packages/convict/src/main.js%23L571"},{"reference_url":"https://github.com/mozilla/node-convict/blob/master/CHANGELOG.md%23623---2022-05-07","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mozilla/node-convict/blob/master/CHANGELOG.md%23623---2022-05-07"},{"reference_url":"https://github.com/mozilla/node-convict/commit/1ea0ab19c5208f66509e1c43b0d0f21c1fd29b75","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mozilla/node-convict/commit/1ea0ab19c5208f66509e1c43b0d0f21c1fd29b75"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-21190","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-21190"},{"reference_url":"https://snyk.io/vuln/SNYK-JS-CONVICT-2774757","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-JS-CONVICT-2774757"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2086396","reference_id":"2086396","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2086396"},{"reference_url":"https://github.com/advisories/GHSA-jjf5-wx3j-3fv7","reference_id":"GHSA-jjf5-wx3j-3fv7","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-jjf5-wx3j-3fv7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/85165?format=json","purl":"pkg:npm/convict@6.2.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-acwd-z7rp-dugq"},{"vulnerability":"VCID-ma5m-yrvz-4fdd"},{"vulnerability":"VCID-x7pj-3vud-rfb8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/convict@6.2.3"}],"aliases":["CVE-2022-21190","GHSA-jjf5-wx3j-3fv7"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-s5bq-s46x-nffa"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42570?format=json","vulnerability_id":"VCID-wf27-x7te-dyge","summary":"convict: Prototype Pollution in convict","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-22143.json","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-22143.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-22143","reference_id":"","reference_type":"","scores":[{"value":"0.01732","scoring_system":"epss","scoring_elements":"0.82772","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-22143"},{"reference_url":"https://github.com/mozilla/node-convict","reference_id":"","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mozilla/node-convict"},{"reference_url":"https://github.com/mozilla/node-convict/blob/5eb1314f85346760a3c31cb14510f2f0af11d0d3/packages/convict/src/main.js%23L569","reference_id":"","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mozilla/node-convict/blob/5eb1314f85346760a3c31cb14510f2f0af11d0d3/packages/convict/src/main.js%23L569"},{"reference_url":"https://github.com/mozilla/node-convict/commit/3b86be087d8f14681a9c889d45da7fe3ad9cd880","reference_id":"","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mozilla/node-convict/commit/3b86be087d8f14681a9c889d45da7fe3ad9cd880"},{"reference_url":"https://github.com/mozilla/node-convict/pull/384","reference_id":"","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mozilla/node-convict/pull/384"},{"reference_url":"https://github.com/mozilla/node-convict/releases/tag/v6.2.2","reference_id":"","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mozilla/node-convict/releases/tag/v6.2.2"},{"reference_url":"https://github.com/mozilla/node-convict/security/advisories/GHSA-x2w5-725j-gf2g","reference_id":"","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mozilla/node-convict/security/advisories/GHSA-x2w5-725j-gf2g"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-22143","reference_id":"","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-22143"},{"reference_url":"https://snyk.io/vuln/SNYK-JS-CONVICT-2340604","reference_id":"","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-JS-CONVICT-2340604"},{"reference_url":"https://www.huntr.dev/bounties/1-npm-convict","reference_id":"","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.huntr.dev/bounties/1-npm-convict"},{"reference_url":"https://www.huntr.dev/bounties/1-npm-convict/","reference_id":"","reference_type":"","scores":[],"url":"https://www.huntr.dev/bounties/1-npm-convict/"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2080845","reference_id":"2080845","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2080845"},{"reference_url":"https://github.com/advisories/GHSA-x2w5-725j-gf2g","reference_id":"GHSA-x2w5-725j-gf2g","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-x2w5-725j-gf2g"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371666?format=json","purl":"pkg:npm/convict@6.2.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-acwd-z7rp-dugq"},{"vulnerability":"VCID-ma5m-yrvz-4fdd"},{"vulnerability":"VCID-s5bq-s46x-nffa"},{"vulnerability":"VCID-x7pj-3vud-rfb8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/convict@6.2.2"},{"url":"http://public2.vulnerablecode.io/api/packages/85165?format=json","purl":"pkg:npm/convict@6.2.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-acwd-z7rp-dugq"},{"vulnerability":"VCID-ma5m-yrvz-4fdd"},{"vulnerability":"VCID-x7pj-3vud-rfb8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/convict@6.2.3"}],"aliases":["CVE-2022-22143","GHSA-x2w5-725j-gf2g","GMS-2022-888"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wf27-x7te-dyge"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36297?format=json","vulnerability_id":"VCID-x7pj-3vud-rfb8","summary":"convict vulnerable to Prototype Pollution\n### Impact\n\n* An attacker can inject attributes that are used in other components\n* An attacker can override existing attributes with ones that have incompatible type, which may lead to a crash.\n\nThe main use case of Convict is for handling server-side configurations written by the admins owning the servers, and not random users. So it's unlikely that an admin would deliberately sabotage their own server. Still a situation can happen where an admin not knowledgeable about JavaScript could be tricked by an attacker into writing the malicious JavaScript code into some config files.\n\n### Patches\nThe problem is patched in `convict@6.2.4`. Users should upgrade to `convict@6.2.4`.\n\n### Workarounds\nNo way for users to fix or remediate the vulnerability without upgrading\n\n### References\nhttps://github.com/mozilla/node-convict/issues/410","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-0163","reference_id":"","reference_type":"","scores":[{"value":"0.00121","scoring_system":"epss","scoring_elements":"0.30778","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-0163"},{"reference_url":"https://github.com/mozilla/node-convict","reference_id":"","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mozilla/node-convict"},{"reference_url":"https://github.com/mozilla/node-convict/commit/fb602fbe1e9f14f2e88ecb8179d0f76466d21ecb","reference_id":"","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mozilla/node-convict/commit/fb602fbe1e9f14f2e88ecb8179d0f76466d21ecb"},{"reference_url":"https://github.com/mozilla/node-convict/issues/410","reference_id":"","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-11-27T15:59:57Z/"}],"url":"https://github.com/mozilla/node-convict/issues/410"},{"reference_url":"https://github.com/mozilla/node-convict/security/advisories/GHSA-4jrm-c32x-w4jf","reference_id":"","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-11-27T15:59:57Z/"}],"url":"https://github.com/mozilla/node-convict/security/advisories/GHSA-4jrm-c32x-w4jf"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-0163","reference_id":"","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-0163"},{"reference_url":"https://github.com/advisories/GHSA-4jrm-c32x-w4jf","reference_id":"GHSA-4jrm-c32x-w4jf","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-4jrm-c32x-w4jf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/68643?format=json","purl":"pkg:npm/convict@6.2.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-acwd-z7rp-dugq"},{"vulnerability":"VCID-ma5m-yrvz-4fdd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/convict@6.2.4"}],"aliases":["CVE-2023-0163","GHSA-4jrm-c32x-w4jf"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-x7pj-3vud-rfb8"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/convict@0.0.6"}