CVE-2026-33864

Name of the Vulnerable Software and Affected Versions convict versions 6.2.4

Description A prototype pollution issue exists in the convict npm package. The issue stems from an incomplete fix that attempted to prevent prototype pollution by checking if user input begins with a prohibited key. However, it is still possible to pollute Object.prototype using a crafted input leveraging String.prototype. The vulnerability is located in the startsWith() function used to validate user-provided input. A proof of concept demonstrates that by redefining String.prototype.startsWith to always return false, the check is bypassed, allowing for prototype pollution. This can potentially lead to authentication bypass, denial of service, or remote code execution if a polluted property is passed to vulnerable functions.

Recommendations Update to a newer version that contains a fix for this vulnerability.