Description
The package convict before 6.2.2 are vulnerable to Prototype Pollution via the convict function due to missing validation of parentKey. **Note:** This vulnerability derives from an incomplete fix of another [vulnerability](https://security.snyk.io/vuln/SNYK-JS-CONVICT-1062508)
Remediation
References
https://github.com/mozilla/node-convict/blob/5eb1314f85346760a3c31cb14510f2f0af11d0d3/packages/convict/src/main.js%23L569
https://github.com/mozilla/node-convict/commit/3b86be087d8f14681a9c889d45da7fe3ad9cd880
https://snyk.io/vuln/SNYK-JS-CONVICT-2340604
Related Vulnerabilities
CVE-2020-35213 Vulnerability in maven package io.atomix:atomix
CVE-2022-25766 Vulnerability in npm package ungit
CVE-2022-3171 Vulnerability in maven package com.google.protobuf:protobuf-java
CVE-2020-35451 Vulnerability in maven package org.apache.oozie:oozie-tools
CVE-2023-0867 Vulnerability in maven package org.opennms:opennms-webapp