Intelligence
criticalVulnerabilityActive

Convict Prototype Pollution via Unsafe Recursive Merge and Schema Initialization

CVE-2026-33863 exposes two prototype pollution paths in node-convict's config loading and schema initialization that allow attackers to pollute Object.prototype through untrusted JSON/schema data, potentially enabling authentication bypass or RCE.

S
Sebastion

CVE References

CVE-2026-33863

Affected

mozilla/node-convict

Vulnerability Description

This vulnerability represents a class of prototype pollution affecting Mozilla's convict configuration library. The root cause is insufficient input validation during two critical operations: (1) the overlay() function recursively merges external config data without sanitizing property keys, and (2) schema initialization applies default values without blocking constructor.prototype access. Unlike previous fixes that patched specific attack vectors, these paths remain unguarded. The impact is severe because polluted properties propagate to Object.prototype, affecting all downstream objects in the application. Depending on how the application consumes these properties—particularly in authentication, authorization, or dynamic code execution contexts—the consequences range from denial-of-service through unexpected behavior to authentication bypass or remote code execution.

Proof-of-Concept Significance

This PoC is significant because it demonstrates that blacklist-based remediation (fixing individual known vectors) fails against prototype pollution. The disclosure shows two independent entry points (load(), loadFile(), and schema initialization) that weren't covered by CVE-2026-33863's predecessor (GHSA-44fc-8fm5-q62h). The reliability of exploitation is high: it requires only that untrusted data (JSON file, environment config, or schema object) reaches these functions—a common scenario in configuration management. Preconditions are minimal: no special privileges or unusual application states are needed, making this exploitable in default deployments.

Detection Guidance

Runtime Detection:

  • Monitor for load() and loadFile() calls with external/user-supplied input
  • Log all schema initialization calls, especially those accepting dynamic schema objects
  • Instrument overlay() function calls to detect recursive merges of untrusted data
  • Watch for suspicious property access patterns on Object.prototype (e.g., Object.prototype.<unexpected-key>)

Source Code Signatures:

  • Search for regex patterns: __proto__, constructor\.prototype in config files or schema definitions
  • Grep for convict instantiation with dynamically-built schemas: convict({...})
  • Identify unsafe JSON parsing followed by config.load()

Log Indicators:

  • Unexpected properties appearing on all objects application-wide
  • Authentication/authorization logic receiving unexpected values for existing properties
  • Undefined behavior in property lookups for commonly-used object keys

Mitigation Steps

  1. Immediate: Upgrade node-convict to patched version (when released); apply vendor security advisory recommendations
  2. Input Validation: Never pass untrusted data (user input, external files, environment variables) directly to load(), loadFile(), or schema parameters. Validate and sanitize configuration sources before ingestion
  3. Workaround: Implement a configuration schema whitelist and reject any schema or loaded config containing __proto__ or constructor keys before passing to convict
  4. Defense-in-Depth:
    • Use Object.freeze() on critical prototype objects where supported
    • Implement property descriptor checks in sensitive code paths
    • Run Node.js with security contexts that limit prototype mutation impact
  5. Code Review: Audit all convict usage patterns to identify untrusted data flows

Risk Assessment

Likelihood of Exploitation (High): Prototype pollution is well-understood by security researchers and exploit frameworks. The low precondition barrier (simply passing config data) makes this attractive. Node.js applications often load configuration from files, environment variables, or external sources—common in containerized/cloud deployments.

Threat Actor Interest (High): This vulnerability aligns with supply-chain and configuration-based attack patterns favored by nation-state and criminal threat actors. The potential for silent authentication bypass (difficult to detect) makes it particularly valuable for persistent access scenarios. Given the widespread use of convict in production systems, this is likely to see active exploitation post-disclosure.

Exploitability in the Wild (High): No special tooling required; standard JSON payloads suffice. Attackers can craft malicious config files, inject via CI/CD systems, or exploit applications that accept user-supplied configuration.

Sources

pocprototype-pollutionnode-convictobject-injectionconfiguration-managementnodejs
Back to intelligence