CVE-2026-33863

Description

### Impact Two unguarded prototype pollution paths exist, not covered by previous fixes: 1. `config.load()` / `config.loadFile()` — `overlay()` recursively merges config data without checking for forbidden keys. Input containing` __proto__` or `constructor.prototype` (e.g. from a JSON file) causes the recursion to reach `Object.prototype` and write attacker-controlled values onto it. 2. Schema initialization — passing a schema with `constructor.prototype.*` keys to `convict({...})` causes default-value propagation to write directly to `Object.prototype` at startup. Depending on how polluted properties are consumed, impact ranges from unexpected behavior to authentication bypass or RCE. ### Workarounds Do not pass untrusted data to load(), loadFile(), or convict(). ### Resources Prior advisory: [GHSA-44fc-8fm5-q62h](https://github.com/mozilla/node-convict/security/advisories/GHSA-44fc-8fm5-q62h) Related issue: [https://github.com/mozilla/node-convict/issues/423](https://github.com/mozilla/node-convict/issues/423)

How to fix CVE-2026-33863

To remediate CVE-2026-33863, upgrade the affected package to a fixed version below.

• —upgrade to 6.2.5 or later

Is CVE-2026-33863 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-33863.

Affected packages (1)

• from 0, < 6.2.5

CVSS scores

References (4)

• PATCHgithub.com/mozilla/node-convict
• WEBgithub.com/mozilla/node-convict/issues/423
• WEBgithub.com/mozilla/node-convict/security/advisories/GHSA-44fc-8fm5-q62h
• WEBgithub.com/mozilla/node-convict/security/advisories/GHSA-hf2r-9gf9-rwch