All the vulnerabilities related to the version 6.2.2 of the package
convict vulnerable to Prototype Pollution
The main use case of Convict is for handling server-side configurations written by the admins owning the servers, and not random users. So it's unlikely that an admin would deliberately sabotage their own server. Still a situation can happen where an admin not knowledgeable about JavaScript could be tricked by an attacker into writing the malicious JavaScript code into some config files.
The problem is patched in convict@6.2.4. Users should upgrade to convict@6.2.4.
No way for users to fix or remediate the vulnerability without upgrading
https://github.com/mozilla/node-convict/issues/410
Prototype Pollution in convict
This affects the package convict before 6.2.3. This is a bypass of CVE-2022-22143. The fix introduced, relies on the startsWith method and does not prevent the vulnerability: before splitting the path, it checks if it starts with proto or this.constructor.prototype. To bypass this check it's possible to prepend the dangerous paths with any string value followed by a dot, like for example foo.proto or foo.this.constructor.prototype.
Prototype Pollution in convict
The main use case of Convict is for handling server-side configurations written by the admins owning the servers, and not random users. So it's unlikely that an admin would deliberately sabotage their own server. Still a situation can happen where an admin not knowledgeable about JavaScript could be tricked by an attacker into writing the malicious JavaScript code into some config files.
The problem is patched in convict@6.2.3. Users should upgrade to convict@6.2.3.
No way for users to fix or remediate the vulnerability without upgrading
If you have any questions or comments about this advisory: add your question as a comment in #384
