Miggo Logo

CVE-2022-22143: Prototype Pollution in convict

8.4

CVSS Score
3.1

Basic Information

EPSS Score
0.73862%
Published
4/20/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
convictnpm< 6.2.36.2.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

  1. The vulnerability manifests in the set() method as shown in:- The PoC demonstrates pollution via config.set('proto.polluted')- The commit 3b86be0 adds forbidden key path checks directly in the set function- The CWE-1321 classification confirms prototype pollution via object property manipulation- The patch adds validation for prototype-related key paths in the set method's early return logic

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t * *n *tt**k*r **n inj**t *ttri*ut*s t**t *r* us** in ot**r *ompon*nts * *n *tt**k*r **n ov*rri** *xistin* *ttri*ut*s wit* on*s t**t **v* in*omp*ti*l* typ*, w*i** m*y l*** to * *r*s*. T** m*in us* **s* o* *onvi*t is *or **n*lin* s*rv*r-si

Reasoning

*. T** vuln*r**ility m*ni**sts in t** s*t() m*t*o* *s s*own in:- T** Po* **monstr*t*s pollution vi* *on*i*.s*t('__proto__.pollut**')- T** *ommit ******* ***s *or*i***n k*y p*t* ****ks *ir**tly in t** s*t *un*tion- T** *W*-**** *l*ssi*i**tion *on*irms