CVE-2022-21803

Name of the Vulnerable Software and Affected Versions nconf versions prior to 0.11.4

Description The issue affects the nconf package when using the memory engine, allowing the storage of a nested JSON representation of the configuration. The set() function is vulnerable to Prototype Pollution, enabling the modification of properties on the Object.prototype by providing a crafted property.

Recommendations For versions prior to 0.11.4, update to version 0.11.4 or later to resolve the issue. As a temporary workaround, consider restricting the use of the set() function until a patch is available. Avoid using crafted properties that could exploit the Prototype Pollution vulnerability in the affected set() function.