CVE-2026-33863

描述

### Impact Two unguarded prototype pollution paths exist, not covered by previous fixes: 1. `config.load()` / `config.loadFile()` — `overlay()` recursively merges config data without checking for forbidden keys. Input containing` __proto__` or `constructor.prototype` (e.g. from a JSON file) causes the recursion to reach `Object.prototype` and write attacker-controlled values onto it. 2. Schema initialization — passing a schema with `constructor.prototype.*` keys to `convict({...})` causes default-value propagation to write directly to `Object.prototype` at startup. Depending on how polluted properties are consumed, impact ranges from unexpected behavior to authentication bypass or RCE. ### Workarounds Do not pass untrusted data to load(), loadFile(), or convict(). ### Resources Prior advisory: [GHSA-44fc-8fm5-q62h](https://github.com/mozilla/node-convict/security/advisories/GHSA-44fc-8fm5-q62h) Related issue: [https://github.com/mozilla/node-convict/issues/423](https://github.com/mozilla/node-convict/issues/423)

受影響套件(1)

• npm/convictfrom 0, < 6.2.5

CVSS 分數

參考連結(4)

• PATCHhttps://github.com/mozilla/node-convict
• WEBhttps://github.com/mozilla/node-convict/issues/423
• WEBhttps://github.com/mozilla/node-convict/security/advisories/GHSA-44fc-8fm5-q62h
• WEBhttps://github.com/mozilla/node-convict/security/advisories/GHSA-hf2r-9gf9-rwch