9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-21190

GHSA ID

GHSA-jjf5-wx3j-3fv7

EPSS Score

0.69452%

CWE

CWE-1321

Published

5/14/2022

Updated

2/2/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-21190

CVE-2022-21190:
Prototype Pollution in convict

This affects the package convict before 6.2.3. This is a bypass of CVE-2022-22143. The fix introduced, relies on the startsWith method and does not prevent the vulnerability: before splitting the path, it checks if it starts with proto or this.constructor.prototype. To bypass this check it's possible to prepend the dangerous paths with any string value followed by a dot, like for example foo.proto or foo.this.constructor.prototype.

(GitHub Advisory)

9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-21190

GHSA ID

GHSA-jjf5-wx3j-3fv7

EPSS Score

0.69452%

CWE

CWE-1321

Published

5/14/2022

Updated

2/2/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
convict	npm	< 6.2.3	6.2.3

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the set() function's path validation logic in main.js. The original fix for CVE-2022-22143 checked forbidden paths using startsWith(), which could be bypassed by adding arbitrary prefixes (e.g., 'foo.proto'). The commit diff shows the vulnerable code used 'k.startsWith(${path}.)' with path='proto', which failed to block 'foo.proto.polluted' since 'foo.proto.' doesn't start with 'proto.'. The patched version added trailing dots to forbidden paths and included an includes() check to detect nested dangerous paths, confirming the vulnerability resided in the set() function's validation logic.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T*is *****ts t** p**k*** *onvi*t ***or* *.*.*. T*is is * *yp*ss o* [*V*-****-*****](*ttps://s**urity.snyk.io/vuln/SNYK-JS-*ONVI*T-*******). T** [*ix](*ttps://*it*u*.*om/mozill*/no**-*onvi*t/*ommit/****************************************) intro*u***,

Reasoning

T** vuln*r**ility st*ms *rom t** s*t() *un*tion's p*t* v*li**tion lo*i* in m*in.js. T** ori*in*l *ix *or *V*-****-***** ****k** *or*i***n p*t*s usin* st*rtsWit*(), w*i** *oul* ** *yp*ss** *y ***in* *r*itr*ry pr**ix*s (*.*., '*oo.__proto__'). T** *omm

9.8

Basic Information

Concerned about an active attack path?

CVE-2022-21190: Prototype Pollution in convict

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2022-21190:
Prototype Pollution in convict

Vulnerability Intelligence
Miggo AI