Impact
Two unguarded prototype pollution paths exist, not covered by previous fixes:
config.load() / config.loadFile() — overlay() recursively merges config data without checking for forbidden keys. Input containing __proto__ or constructor.prototype (e.g. from a JSON file) causes the recursion to reach Object.prototype and write attacker-controlled values onto it.- Schema initialization — passing a schema with
constructor.prototype.* keys to convict({...}) causes default-value propagation to write directly to Object.prototype at startup.
Depending on how polluted properties are consumed, impact ranges from unexpected behavior to authentication bypass or RCE.
Patches
Fix in progress. No patched version available yet.
Workarounds
Do not pass untrusted data to load(), loadFile(), or convict().
References
Prior advisory: GHSA-44fc-8fm5-q62h
Related issue: #423
Impact
Two unguarded prototype pollution paths exist, not covered by previous fixes:
config.load()/config.loadFile()—overlay()recursively merges config data without checking for forbidden keys. Input containing__proto__orconstructor.prototype(e.g. from a JSON file) causes the recursion to reachObject.prototypeand write attacker-controlled values onto it.constructor.prototype.*keys toconvict({...})causes default-value propagation to write directly toObject.prototypeat startup.Depending on how polluted properties are consumed, impact ranges from unexpected behavior to authentication bypass or RCE.
Patches
Fix in progress. No patched version available yet.
Workarounds
Do not pass untrusted data to load(), loadFile(), or convict().
References
Prior advisory: GHSA-44fc-8fm5-q62h
Related issue: #423