Login Sign Up

CVE-2022-21803

7.3 HIGH
Remote Code Execution Denial of Service

📋 TL;DR

CVE-2022-21803 is a prototype pollution vulnerability in the nconf configuration management library when using the memory engine. Attackers can inject malicious properties through the .set() function to modify Object.prototype, potentially leading to denial of service or remote code execution. This affects applications using nconf versions before 0.11.4.

💻 Affected Systems

Products:
  • nconf
Versions: All versions before 0.11.4
Operating Systems: All platforms running Node.js
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when using the memory engine with untrusted input to .set() function

📦 What is this software?

Nconf by Nconf Project

View all CVEs affecting Nconf →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment

🟠

Likely Case

Denial of service, application crashes, or unauthorized configuration changes

🟢

If Mitigated

Limited impact if input validation and sandboxing prevent exploitation

🌐 Internet-Facing: MEDIUM - Requires specific nconf memory engine usage and crafted input
🏢 Internal Only: LOW - Typically requires authenticated access or specific application functionality

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires control over input to nconf's .set() method and memory engine usage

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.11.4

Vendor Advisory: https://github.com/indexzero/nconf/releases/tag/v0.11.4

Restart Required: Yes

Instructions:

1. Update package.json to specify nconf version 0.11.4 or higher. 2. Run 'npm update nconf' or 'yarn upgrade nconf'. 3. Restart all Node.js applications using nconf.

🔧 Temporary Workarounds

Input validation and sanitization

all

Implement strict input validation for all data passed to nconf's .set() method

Use alternative storage engines

all

Switch from memory engine to file, redis, or other storage engines

🧯 If You Can't Patch

  • Implement strict input validation and sanitization for all configuration data
  • Use Object.freeze() on critical objects to prevent prototype pollution

🔍 How to Verify

Check if Vulnerable:

Check package.json or run 'npm list nconf' to see if version is below 0.11.4

Check Version:

npm list nconf | grep nconf

Verify Fix Applied:

Verify nconf version is 0.11.4 or higher using 'npm list nconf'

📡 Detection & Monitoring

Log Indicators:

  • Unexpected application crashes
  • Unusual configuration changes
  • Prototype pollution error messages

Network Indicators:

  • Unusual API calls to configuration endpoints
  • Suspicious input patterns in HTTP requests

SIEM Query:

source="application.log" AND ("prototype pollution" OR "nconf" AND "unexpected")

📊 Metadata

CVE ID: CVE-2022-21803
CVSS v3 Score: 7.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-1321
Published: April 12, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-21803, you might also want to check these:

CVE-2024-38999 10.0

CVE-2024-38999 is a prototype pollution vulnerability in requirejs v2.3.6 that allows attackers to i...

Same vulnerability type (CWE-1321)
CVE-2024-39008 10.0

CVE-2024-39008 is a prototype pollution vulnerability in robinweser's fast-loops library version 1.1...

Same vulnerability type (CWE-1321)
CVE-2021-25953 9.8

CVE-2021-25953 is a prototype pollution vulnerability in the 'putil-merge' npm package that allows a...

Same vulnerability type (CWE-1321)