CVE-2022-22143 in convict
Summary
by MITRE • 05/01/2022
The package convict before 6.2.2 are vulnerable to Prototype Pollution via the convict function due to missing validation of parentKey. **Note:** This vulnerability derives from an incomplete fix of another [vulnerability](https://security.snyk.io/vuln/SNYK-JS-CONVICT-1062508)
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 05/04/2022
The CVE-2022-22143 vulnerability affects the convict package version 6.2.2 and earlier, representing a critical prototype pollution flaw that undermines the security integrity of applications relying on this configuration management library. This vulnerability specifically manifests within the convict function where insufficient validation of the parentKey parameter creates exploitable conditions for attackers to manipulate object prototypes. The flaw stems from an incomplete remediation of a previous vulnerability SNYK-JS-CONVICT-1062508, indicating a pattern of recurring security issues within the package's implementation. Prototype pollution vulnerabilities occur when user-controllable input is used to modify the prototype of an object, potentially allowing attackers to inject malicious properties into all objects derived from that prototype, thereby compromising application behavior and data integrity.
The technical exploitation of this vulnerability involves crafting malicious input that bypasses the validation mechanisms intended to prevent prototype manipulation. When the convict function processes configuration data without proper parentKey validation, it allows attackers to inject properties into the Object.prototype or other core objects. This occurs because the function fails to sanitize or validate the keys used in the configuration hierarchy, enabling attackers to specify parent keys that could lead to prototype pollution. The vulnerability operates at the core level of JavaScript object manipulation, where the prototype chain is modified through seemingly innocuous configuration inputs that ultimately compromise the entire application's object model.
The operational impact of CVE-2022-22143 extends beyond simple data corruption, as prototype pollution can enable a wide range of downstream attacks including remote code execution, denial of service, and privilege escalation depending on the application's architecture and how it handles configuration data. Applications using vulnerable versions of convict may experience unexpected behavior where attacker-controlled properties are injected into objects, potentially affecting application logic, authentication mechanisms, or data processing flows. The vulnerability's exploitation can lead to persistent security issues since prototype pollution affects all objects that inherit from the polluted prototype, making detection and remediation challenging. This type of vulnerability is particularly dangerous in server-side applications where configuration management is critical for application behavior and security posture.
Organizations should immediately upgrade to convict version 6.2.2 or later to address this vulnerability, as this release includes the proper validation mechanisms for parentKey parameters. The fix addresses the incomplete remediation that allowed the vulnerability to persist, implementing comprehensive input validation to prevent malicious keys from polluting object prototypes. Additionally, security teams should conduct thorough code reviews to identify any custom implementations that might be using the vulnerable convict functions or related patterns. The vulnerability aligns with CWE-471, which describes the improper handling of dynamically-controlled data structures, and corresponds to ATT&CK technique T1059.007 for script injection, as the prototype pollution can enable malicious code execution through configuration manipulation. Organizations should also implement runtime monitoring to detect anomalous object prototype modifications and consider implementing input sanitization at multiple layers to prevent similar issues in other components of their application stack.