The Weakest Link: Popular Node.js Config Library “Convict” Hit by Prototype Pollution

A critical vulnerability has been uncovered in node-convict, the widely used configuration management library designed to make Node.js applications more robust. The flaw, tracked as CVE-2026-33864, carries a severe CVSS score of 9.4, potentially leaving thousands of downstream applications vulnerable to unauthorized data manipulation or worse.

Convict is a favorite among developers for its ability to enforce configuration schemas, providing validation and early failure alerts when settings go wrong. However, researchers have discovered that the very tool meant to provide “context and validation” can be turned against the systems it protects.

The vulnerability is a classic case of Prototype Pollution. While the maintainers had previously implemented a fix to block forbidden keys in user input, it turns out that defense was built on shaky ground.

The flaw exists in the library’s core logic where it uses the startsWith() function to check for malicious strings. By manipulating String.prototype, an attacker can force the security check to return false, effectively bypassing the library’s filters.

An attacker can then use the config.set method to inject properties directly into Object.prototype, polluting every object within the Node.js environment.

Because node-convict is often used to process external settings, any application that allows attacker-controlled input to reach the convict.set function is at risk. The implications of a polluted prototype are broad and dangerous:

• Authentication Bypass: Attackers may be able to flip internal flags to gain unauthorized access.
• Denial of Service (DoS): By injecting unexpected properties, an attacker can cause the application to crash or behave unpredictably.
• Remote Code Execution (RCE): If a polluted property is eventually passed into sensitive functions like eval() or child_process, it could lead to a full system takeover.

The vulnerability impacts all versions of the convict npm package up to and including version 6.2.4.

Developers are urged to update to version 6.2.5 immediately, which contains the official patch to prevent this bypass.