What is prototype pollution?

Prototype pollution is a type of vulnerability that allows attackers to modify the properties of JavaScript's built-in object prototypes, such as `Object.prototype`. This can lead to unexpected behavior, security vulnerabilities, and potentially remote code execution if the polluted properties are used in a dangerous way.

What is the impact of these Convict vulnerabilities?

The prototype pollution vulnerabilities in Convict can have severe security implications, including authentication bypass, denial of service, and potentially remote code execution. The exact impact depends on how the polluted properties are consumed by downstream applications.

How do I fix the Convict prototype pollution vulnerabilities?

To fix the prototype pollution vulnerabilities, you should update the `convict` package to version 6.2.5 or later using the command `npm update convict`. Additionally, avoid passing untrusted data to `load()`, `loadFile()`, or `convict()` to prevent exploitation.

Convict is a Node.js library used for defining and managing application configuration. It allows developers to define a schema for their configuration, validate user-provided configuration data, and provide default values, ensuring that applications run with valid and expected settings.

NextGuard

Back to blog

CVSS 9.5CVE-2026-33864CVE-2026-33863

Convict Prototype Pollution Vulnerabilities (CVE-2026-33864)

Critical prototype pollution vulnerabilities (CVE-2026-33864, CVE-2026-33863) affect the convict npm package. Update to version 6.2.5 immediately to mitigate potential RCE.

Published on April 3, 2026

Two critical prototype pollution vulnerabilities have been discovered in the `convict` npm package, potentially leading to remote code execution. These vulnerabilities, tracked as CVE-2026-33864 and CVE-2026-33863, affect applications using `convict` to handle attacker-controlled input. A fix is available in version 6.2.5.

With a CVSS score of 9.5, these are critical vulnerabilities requiring immediate attention.

What is Convict?

Convict is a configuration management library for Node.js applications. It allows developers to define a schema for their application's configuration, validate user-provided configuration data, and provide default values. By using convict, applications can ensure that they are running with valid and expected configuration settings. For more information, you can search all convict CVEs.

CVE-2026-33864: Prototype Pollution via startsWith() Bypass

CVSS9.5

Affected versionsUsers of `convict` version 6.2.4 are affected. Any application that uses `convict.set` to process attacker-controlled input is vulnerable.

Critical vulnerability, requiring immediate attention and patching.

A prototype pollution vulnerability exists in `convict` due to insufficient input validation. By manipulating the `String.prototype.startsWith` function, attackers can bypass the intended security checks and pollute the `Object.prototype`.

How to fix CVE-2026-33864 in Convict

Patch immediately

1.Update the `convict` package to version 6.2.5 or later.

Update convict

npm update convict

NextGuard automatically flags CVE-2026-33864 if Convict appears in any of your monitored projects — no manual lookup required.

CVE-2026-33863: Prototype Pollution via load(), loadFile(), and Schema Initialization

CVSS9.5

Affected versionsUsers of `convict` are affected when using `config.load()`, `config.loadFile()`, or when initializing `convict` with a schema containing malicious keys. Passing untrusted data to these functions makes applications vulnerable.

Critical vulnerability, requiring immediate attention and patching.

Prototype pollution vulnerabilities exist in `convict` through the `load()` and `loadFile()` functions, as well as during schema initialization. These functions recursively merge configuration data without proper validation, allowing attackers to inject malicious properties into `Object.prototype`.

How to fix CVE-2026-33863 in Convict

Patch immediately

1.Update the `convict` package to version 6.2.5 or later.

Update convict

npm update convict

Workaround: Do not pass untrusted data to load(), loadFile(), or convict().

Stay ahead of nodejs vulnerabilities

Proactively detect and respond to security threats in your nodejs applications. monitor your nodejs dependencies for real-time vulnerability alerts.

Compare Plans

Frequently asked questions

These prototype pollution vulnerabilities in `convict` pose a significant risk to Node.js applications. It is crucial to update to version 6.2.5 immediately and see all nodejs vulnerabilities to ensure the security of your projects.