Vulnerability	Vulnerable Version
C Prototype Pollution convict is a package that expands on the standard pattern of configuring node.js applications in a way that is more robust and accessible to collaborators, who may have less interest in digging through imperative code in order to inspect or modify settings. By introducing a configuration schema, convict gives project collaborators more context on each setting and enables validation and early failures for when configuration goes wrong. Affected versions of this package are vulnerable to Prototype Pollution via the `load`, `loadFile`, and schema initialization processes. An attacker can manipulate the global object prototype by supplying specially crafted input containing forbidden keys, such as `__proto__` or `constructor.prototype`, which can lead to unexpected behavior, authentication bypass, or remote code execution by polluting `Object.prototype`. How to fix Prototype Pollution? Upgrade `convict` to version 6.2.5 or higher.	<6.2.5

Prototype Pollution

convict is a package that expands on the standard pattern of configuring node.js applications in a way that is more robust and accessible to collaborators, who may have less interest in digging through imperative code in order to inspect or modify settings. By introducing a configuration schema, convict gives project collaborators more context on each setting and enables validation and early failures for when configuration goes wrong.

Affected versions of this package are vulnerable to Prototype Pollution via the load, loadFile, and schema initialization processes. An attacker can manipulate the global object prototype by supplying specially crafted input containing forbidden keys, such as __proto__ or constructor.prototype, which can lead to unexpected behavior, authentication bypass, or remote code execution by polluting Object.prototype.

How to fix Prototype Pollution?

Upgrade convict to version 6.2.5 or higher.

<6.2.5

Go back to all versions of this package