Miggo Logo

CVE-2022-21190: Prototype Pollution in convict

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.69452%
Published
5/14/2022
Updated
2/2/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
convictnpm< 6.2.36.2.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the set() function's path validation logic in main.js. The original fix for CVE-2022-22143 checked forbidden paths using startsWith(), which could be bypassed by adding arbitrary prefixes (e.g., 'foo.proto'). The commit diff shows the vulnerable code used 'k.startsWith(${path}.)' with path='proto', which failed to block 'foo.proto.polluted' since 'foo.proto.' doesn't start with 'proto.'. The patched version added trailing dots to forbidden paths and included an includes() check to detect nested dangerous paths, confirming the vulnerability resided in the set() function's validation logic.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T*is *****ts t** p**k*** *onvi*t ***or* *.*.*. T*is is * *yp*ss o* [*V*-****-*****](*ttps://s**urity.snyk.io/vuln/SNYK-JS-*ONVI*T-*******). T** [*ix](*ttps://*it*u*.*om/mozill*/no**-*onvi*t/*ommit/****************************************) intro*u***,

Reasoning

T** vuln*r**ility st*ms *rom t** s*t() *un*tion's p*t* v*li**tion lo*i* in m*in.js. T** ori*in*l *ix *or *V*-****-***** ****k** *or*i***n p*t*s usin* st*rtsWit*(), w*i** *oul* ** *yp*ss** *y ***in* *r*itr*ry pr**ix*s (*.*., '*oo.__proto__'). T** *omm