CVE-2022-22143

Name of the Vulnerable Software and Affected Versions convict versions prior to 6.2.2

Description The issue allows for Prototype Pollution via the convict function due to missing validation of parentKey. This could enable an attacker to inject attributes used in other components or override existing attributes with incompatible types, potentially leading to a crash. The main use case of Convict is for handling server-side configurations, and while it's unlikely an admin would sabotage their own server, an uninformed admin could be tricked into writing malicious JavaScript code into config files.

Recommendations For convict versions prior to 6.2.2, upgrade to convict@6.2.3 to resolve the issue. As a temporary workaround, consider restricting access to configuration files to minimize the risk of exploitation.