hi, we are a security team. We found a Prototype Pollution vulnerability in your project.
Vulnerability Description
The convict configuration management library contains three distinct prototype pollution vulnerabilities in schema parsing, flattening, and constructor initialization. All allow attackers to pollute Object.prototype.
TP0001
Confidence: High
Location: package/package/src/main.js:230
Root Cause: The library parses a user‑controlled schema and uses proto as a key to perform dynamic property writes to the prototype chain.
POC:
const lib = require('convict');
lib(JSON.parse('{"__proto__": {"polluted": true}}'), {});
console.log({}.polluted); // true
Verification Output: [CASE_ID=TP0001] [VULN_BOTH] Multi-step load then validate triggers schema processing sink
hi, we are a security team. We found a Prototype Pollution vulnerability in your project.
Vulnerability Description
The convict configuration management library contains three distinct prototype pollution vulnerabilities in schema parsing, flattening, and constructor initialization. All allow attackers to pollute Object.prototype.
TP0001
Confidence: High
Location: package/package/src/main.js:230
Root Cause: The library parses a user‑controlled schema and uses proto as a key to perform dynamic property writes to the prototype chain.
POC: