CVE-2026-33863

Name of the Vulnerable Software and Affected Versions Convict (affected versions not specified)

Description The software contains two prototype pollution flaws not addressed by prior fixes. The first flaw exists in the config.load() and config.loadFile() functions, where the overlay() function recursively merges configuration data without validating keys, allowing attackers to manipulate Object.prototype using input containing proto or constructor.prototype. The second flaw occurs during schema initialization, where passing a schema with constructor.prototype.* keys to convict() can directly write to Object.prototype during startup. Exploitation of these flaws, depending on how polluted properties are used, can lead to unexpected behavior, authentication bypass, or remote code execution. The vulnerable functions are config.load(), config.loadFile(), and convict(). The vulnerable parameters are schemas containing constructor.prototype.* keys and input data passed to load() and loadFile().

Recommendations Do not pass untrusted data to the load() function. Do not pass untrusted data to the loadFile() function. Do not pass untrusted data to the convict() function.