CVE-2022-21190: Prototype Pollution in convict
9.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.69452%
CWE
Published
5/14/2022
Updated
2/2/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
convict | npm | < 6.2.3 | 6.2.3 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from the set() function's path validation logic in main.js. The original fix for CVE-2022-22143 checked forbidden paths using startsWith(), which could be bypassed by adding arbitrary prefixes (e.g., 'foo.proto'). The commit diff shows the vulnerable code used 'k.startsWith(${path}.
)' with path='proto', which failed to block 'foo.proto.polluted' since 'foo.proto.' doesn't start with 'proto.'. The patched version added trailing dots to forbidden paths and included an includes() check to detect nested dangerous paths, confirming the vulnerability resided in the set() function's validation logic.