{"url":"http://public2.vulnerablecode.io/api/packages/554610?format=json","purl":"pkg:npm/convict@0.5.1","type":"npm","namespace":"","name":"convict","version":"0.5.1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"6.2.5","latest_non_vulnerable_version":"6.2.5","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/347460?format=json","vulnerability_id":"VCID-2nwn-64m7-s7g6","summary":"","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-21190.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-21190.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-21190","reference_id":"","reference_type":"","scores":[{"value":"0.00668","scoring_system":"epss","scoring_elements":"0.71751","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00668","scoring_system":"epss","scoring_elements":"0.71837","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00668","scoring_system":"epss","scoring_elements":"0.7185","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00668","scoring_system":"epss","scoring_elements":"0.71847","published_at":"2026-06-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-21190"},{"reference_url":"https://gist.github.com/dellalibera/cebce20e51410acebff1f46afdc89808","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://gist.github.com/dellalibera/cebce20e51410acebff1f46afdc89808"},{"reference_url":"https://github.com/mozilla/node-convict","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mozilla/node-convict"},{"reference_url":"https://github.com/mozilla/node-convict/blob/3b86be087d8f14681a9c889d45da7fe3ad9cd880/packages/convict/src/main.js%23L571","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mozilla/node-convict/blob/3b86be087d8f14681a9c889d45da7fe3ad9cd880/packages/convict/src/main.js%23L571"},{"reference_url":"https://github.com/mozilla/node-convict/blob/master/CHANGELOG.md%23623---2022-05-07","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mozilla/node-convict/blob/master/CHANGELOG.md%23623---2022-05-07"},{"reference_url":"https://github.com/mozilla/node-convict/commit/1ea0ab19c5208f66509e1c43b0d0f21c1fd29b75","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mozilla/node-convict/commit/1ea0ab19c5208f66509e1c43b0d0f21c1fd29b75"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-21190","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-21190"},{"reference_url":"https://snyk.io/vuln/SNYK-JS-CONVICT-2774757","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-JS-CONVICT-2774757"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2086396","reference_id":"2086396","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2086396"},{"reference_url":"https://github.com/advisories/GHSA-jjf5-wx3j-3fv7","reference_id":"GHSA-jjf5-wx3j-3fv7","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jjf5-wx3j-3fv7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/20161?format=json","purl":"pkg:npm/convict@6.2.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-acje-5ues-zbfc"},{"vulnerability":"VCID-h5bw-srm1-k3gq"},{"vulnerability":"VCID-yyy2-zqm3-7kg9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/convict@6.2.3"}],"aliases":["CVE-2022-21190","GHSA-jjf5-wx3j-3fv7"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2nwn-64m7-s7g6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/360125?format=json","vulnerability_id":"VCID-acje-5ues-zbfc","summary":"Convict has prototype pollution via load(), loadFile(), and schema initialization\n### Impact\nTwo unguarded prototype pollution paths exist, not covered by previous fixes:\n\n1. `config.load()` / `config.loadFile()` — `overlay()` recursively merges config data without checking for forbidden keys. Input containing` __proto__` or `constructor.prototype` (e.g. from a JSON file) causes the recursion to reach `Object.prototype` and write attacker-controlled values onto it.\n2. Schema initialization — passing a schema with `constructor.prototype.*` keys to `convict({...})` causes default-value propagation to write directly to `Object.prototype` at startup.\n\nDepending on how polluted properties are consumed, impact ranges from unexpected behavior to authentication bypass or RCE.\n\n### Workarounds\nDo not pass untrusted data to load(), loadFile(), or convict().\n\n### Resources\nPrior advisory: [GHSA-44fc-8fm5-q62h](https://github.com/mozilla/node-convict/security/advisories/GHSA-44fc-8fm5-q62h)\nRelated issue: [https://github.com/mozilla/node-convict/issues/423](https://github.com/mozilla/node-convict/issues/423)","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33863","reference_id":"","reference_type":"","scores":[{"value":"0.00037","scoring_system":"epss","scoring_elements":"0.11487","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00037","scoring_system":"epss","scoring_elements":"0.11521","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00037","scoring_system":"epss","scoring_elements":"0.11527","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33863"},{"reference_url":"https://github.com/mozilla/node-convict","reference_id":"","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mozilla/node-convict"},{"reference_url":"https://github.com/mozilla/node-convict/issues/423","reference_id":"","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mozilla/node-convict/issues/423"},{"reference_url":"https://github.com/mozilla/node-convict/security/advisories/GHSA-44fc-8fm5-q62h","reference_id":"","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mozilla/node-convict/security/advisories/GHSA-44fc-8fm5-q62h"},{"reference_url":"https://github.com/mozilla/node-convict/security/advisories/GHSA-hf2r-9gf9-rwch","reference_id":"","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mozilla/node-convict/security/advisories/GHSA-hf2r-9gf9-rwch"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33863","reference_id":"CVE-2026-33863","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33863"},{"reference_url":"https://github.com/advisories/GHSA-hf2r-9gf9-rwch","reference_id":"GHSA-hf2r-9gf9-rwch","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hf2r-9gf9-rwch"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/375021?format=json","purl":"pkg:npm/convict@6.2.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/convict@6.2.5"}],"aliases":["CVE-2026-33863","GHSA-hf2r-9gf9-rwch"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-acje-5ues-zbfc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/148061?format=json","vulnerability_id":"VCID-h5bw-srm1-k3gq","summary":"Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability in Mozilla Convict.\n\nThis allows an attacker to inject attributes that are used in other components, or to override existing attributes with ones that have incompatible type, which may lead to a crash.\n\n\nThe main use case of Convict is for handling server-side \nconfigurations written by the admins owning the servers, and not random \nusers. So it's unlikely that an admin would deliberately sabotage their \nown server. Still, a situation can happen where an admin not \nknowledgeable about JavaScript could be tricked by an attacker into \nwriting the malicious JavaScript code into some config files.\n\n\n\nThis issue affects Convict: before 6.2.4.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-0163","reference_id":"","reference_type":"","scores":[{"value":"0.00121","scoring_system":"epss","scoring_elements":"0.3091","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00121","scoring_system":"epss","scoring_elements":"0.30926","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00121","scoring_system":"epss","scoring_elements":"0.30909","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00121","scoring_system":"epss","scoring_elements":"0.30711","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-0163"},{"reference_url":"https://github.com/mozilla/node-convict","reference_id":"","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mozilla/node-convict"},{"reference_url":"https://github.com/mozilla/node-convict/commit/fb602fbe1e9f14f2e88ecb8179d0f76466d21ecb","reference_id":"","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mozilla/node-convict/commit/fb602fbe1e9f14f2e88ecb8179d0f76466d21ecb"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-0163","reference_id":"","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-0163"},{"reference_url":"https://github.com/mozilla/node-convict/issues/410","reference_id":"410","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-11-27T15:59:57Z/"}],"url":"https://github.com/mozilla/node-convict/issues/410"},{"reference_url":"https://github.com/advisories/GHSA-4jrm-c32x-w4jf","reference_id":"GHSA-4jrm-c32x-w4jf","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4jrm-c32x-w4jf"},{"reference_url":"https://github.com/mozilla/node-convict/security/advisories/GHSA-4jrm-c32x-w4jf","reference_id":"GHSA-4jrm-c32x-w4jf","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-11-27T15:59:57Z/"}],"url":"https://github.com/mozilla/node-convict/security/advisories/GHSA-4jrm-c32x-w4jf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/380113?format=json","purl":"pkg:npm/convict@6.2.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-acje-5ues-zbfc"},{"vulnerability":"VCID-yyy2-zqm3-7kg9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/convict@6.2.4"}],"aliases":["CVE-2023-0163","GHSA-4jrm-c32x-w4jf","GMS-2023-17"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-h5bw-srm1-k3gq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/208826?format=json","vulnerability_id":"VCID-nh4u-fq7m-jbdp","summary":"Prototype Pollution in convict","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-22143.json","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-22143.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-22143","reference_id":"","reference_type":"","scores":[{"value":"0.01732","scoring_system":"epss","scoring_elements":"0.82871","published_at":"2026-06-11T12:55:00Z"},{"value":"0.01732","scoring_system":"epss","scoring_elements":"0.82933","published_at":"2026-06-12T12:55:00Z"},{"value":"0.01732","scoring_system":"epss","scoring_elements":"0.82936","published_at":"2026-06-14T12:55:00Z"},{"value":"0.01732","scoring_system":"epss","scoring_elements":"0.82941","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-22143"},{"reference_url":"https://github.com/mozilla/node-convict","reference_id":"","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mozilla/node-convict"},{"reference_url":"https://github.com/mozilla/node-convict/blob/5eb1314f85346760a3c31cb14510f2f0af11d0d3/packages/convict/src/main.js%23L569","reference_id":"","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mozilla/node-convict/blob/5eb1314f85346760a3c31cb14510f2f0af11d0d3/packages/convict/src/main.js%23L569"},{"reference_url":"https://github.com/mozilla/node-convict/commit/3b86be087d8f14681a9c889d45da7fe3ad9cd880","reference_id":"","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mozilla/node-convict/commit/3b86be087d8f14681a9c889d45da7fe3ad9cd880"},{"reference_url":"https://github.com/mozilla/node-convict/pull/384","reference_id":"","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mozilla/node-convict/pull/384"},{"reference_url":"https://github.com/mozilla/node-convict/releases/tag/v6.2.2","reference_id":"","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mozilla/node-convict/releases/tag/v6.2.2"},{"reference_url":"https://snyk.io/vuln/SNYK-JS-CONVICT-2340604","reference_id":"","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-JS-CONVICT-2340604"},{"reference_url":"https://www.huntr.dev/bounties/1-npm-convict","reference_id":"","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.huntr.dev/bounties/1-npm-convict"},{"reference_url":"https://www.huntr.dev/bounties/1-npm-convict/","reference_id":"","reference_type":"","scores":[],"url":"https://www.huntr.dev/bounties/1-npm-convict/"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2080845","reference_id":"2080845","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2080845"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-22143","reference_id":"CVE-2022-22143","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-22143"},{"reference_url":"https://github.com/advisories/GHSA-x2w5-725j-gf2g","reference_id":"GHSA-x2w5-725j-gf2g","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-x2w5-725j-gf2g"},{"reference_url":"https://github.com/mozilla/node-convict/security/advisories/GHSA-x2w5-725j-gf2g","reference_id":"GHSA-x2w5-725j-gf2g","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mozilla/node-convict/security/advisories/GHSA-x2w5-725j-gf2g"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/392431?format=json","purl":"pkg:npm/convict@6.2.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2nwn-64m7-s7g6"},{"vulnerability":"VCID-acje-5ues-zbfc"},{"vulnerability":"VCID-h5bw-srm1-k3gq"},{"vulnerability":"VCID-yyy2-zqm3-7kg9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/convict@6.2.2"},{"url":"http://public2.vulnerablecode.io/api/packages/20161?format=json","purl":"pkg:npm/convict@6.2.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-acje-5ues-zbfc"},{"vulnerability":"VCID-h5bw-srm1-k3gq"},{"vulnerability":"VCID-yyy2-zqm3-7kg9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/convict@6.2.3"}],"aliases":["CVE-2022-22143","GHSA-x2w5-725j-gf2g","GMS-2022-888"],"risk_score":4.4,"exploitability":"0.5","weighted_severity":"8.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nh4u-fq7m-jbdp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/360186?format=json","vulnerability_id":"VCID-yyy2-zqm3-7kg9","summary":"Convict has Prototype Pollution via startsWith() function\n### Summary\nA prototype pollution vulnerability exists in the latest version of the convict npm package (6.2.4). Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input started with a forbidden key, it is still possible to pollute `Object.prototype` via a crafted input using `String.prototype`. \n\n### Details\nThe vulnerability resides in line 564 of https://github.com/mozilla/node-convict/blob/master/packages/convict/src/main.js where `startsWith()` function is used to check whether user provided input contain forbidden strings. \n\n### PoC\n#### Steps to reproduce\n1. Install latest version of convict using `npm install` or cloning from git\n2. Run the following code snippet:\n\n```javascript\nString.prototype.startsWith = () => false; \nconst convict = require('convict');\nlet obj = {};\nconst config = convict(obj);\nconsole.log({}.polluted);\nconfig.set('constructor.prototype.polluted', 'yes');\nconsole.log({}.polluted);    // prints yes -> the patch is bypassed and prototype pollution occurred\n```\n\n#### Expected behavior\nPrototype pollution should be prevented and {} should not gain new properties.\nThis should be printed on the console:\n```\nundefined\nundefined OR throw an Error\n```\n\n#### Actual behavior\n`Object.prototype` is polluted \nThis is printed on the console:\n```\nundefined \nyes\n```\n\n### Impact\nThis is a prototype pollution vulnerability, which can have severe security implications depending on how convict is used by downstream applications. Any application that processes attacker-controlled input using `convict.set`  may be affected.\nIt could potentially lead to the following problems:\n\n1. Authentication bypass\n2. Denial of service\n3. Remote code execution (if polluted property is passed to sinks like eval or child_process)","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33864","reference_id":"","reference_type":"","scores":[{"value":"0.0084","scoring_system":"epss","scoring_elements":"0.75236","published_at":"2026-06-13T12:55:00Z"},{"value":"0.0084","scoring_system":"epss","scoring_elements":"0.75232","published_at":"2026-06-14T12:55:00Z"},{"value":"0.0084","scoring_system":"epss","scoring_elements":"0.75223","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33864"},{"reference_url":"https://github.com/mozilla/node-convict","reference_id":"","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mozilla/node-convict"},{"reference_url":"https://github.com/mozilla/node-convict/blob/master/packages/convict/src/main.js","reference_id":"","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mozilla/node-convict/blob/master/packages/convict/src/main.js"},{"reference_url":"https://github.com/mozilla/node-convict/security/advisories/GHSA-44fc-8fm5-q62h","reference_id":"","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mozilla/node-convict/security/advisories/GHSA-44fc-8fm5-q62h"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33864","reference_id":"CVE-2026-33864","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33864"},{"reference_url":"https://github.com/advisories/GHSA-44fc-8fm5-q62h","reference_id":"GHSA-44fc-8fm5-q62h","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-44fc-8fm5-q62h"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/375021?format=json","purl":"pkg:npm/convict@6.2.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/convict@6.2.5"}],"aliases":["CVE-2026-33864","GHSA-44fc-8fm5-q62h"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-yyy2-zqm3-7kg9"}],"fixing_vulnerabilities":[],"risk_score":"4.5","resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/convict@0.5.1"}