CVE-2022-22143: Prototype Pollution in convict
8.4
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.73862%
CWE
Published
4/20/2022
Updated
1/27/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
convict | npm | < 6.2.3 | 6.2.3 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
- The vulnerability manifests in the set() method as shown in:- The PoC demonstrates pollution via config.set('proto.polluted')- The commit 3b86be0 adds forbidden key path checks directly in the set function- The CWE-1321 classification confirms prototype pollution via object property manipulation- The patch adds validation for prototype-related key paths in the set method's early return logic