CVE-2022-22143 – CVE-2022-22143 is a prototype pollution vulnera... (How to Fix)

Q: What is the severity of CVE-2022-22143?

CVE-2022-22143 has a CVSS score of 7.5 (HIGH). CVE-2022-22143 is a prototype pollution vulnerability in the convict configuration management library for Node.js. It allows attackers to modify object prototypes, potentially leading to denial of service, remote code execution, or privilege escalation. Any Node.js application using vulnerable versions of convict is affected.

📋 TL;DR

CVE-2022-22143 is a prototype pollution vulnerability in the convict configuration management library for Node.js. It allows attackers to modify object prototypes, potentially leading to denial of service, remote code execution, or privilege escalation. Any Node.js application using vulnerable versions of convict is affected.

💻 Affected Systems

Products:

convict

Versions: All versions before 6.2.2

Operating Systems: All operating systems running Node.js

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default configuration when convict processes untrusted input.

📦 What is this software?

Convict by Mozilla

View all CVEs affecting Convict →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data exfiltration, or service disruption.

🟠

Likely Case

Denial of service through application crashes or modification of configuration behavior.

🟢

If Mitigated

Limited impact if input validation and sandboxing prevent malicious payloads from reaching convict.

🌐 Internet-Facing: HIGH - Web applications using convict for configuration are directly exposed to attack vectors.

🏢 Internal Only: MEDIUM - Internal services could be compromised through lateral movement or malicious insiders.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires attacker to control input to convict configuration parsing. Public proof-of-concept demonstrates prototype pollution.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.2.2

Vendor Advisory: https://github.com/mozilla/node-convict/security/advisories/GHSA-6g2m-w6m4-h9q6

Restart Required: Yes

Instructions:

1. Update package.json to specify convict version 6.2.2 or higher. 2. Run 'npm update convict' or 'yarn upgrade convict'. 3. Restart all Node.js services using convict.

🔧 Temporary Workarounds

Input validation and sanitization

all

Implement strict input validation for all configuration sources before passing to convict.

Use Object.freeze on prototypes

all

Freeze Object.prototype to prevent prototype pollution attacks.

Object.freeze(Object.prototype);

🧯 If You Can't Patch

Isolate services using vulnerable convict versions behind firewalls with strict network controls.
Implement runtime protection tools that detect and block prototype pollution attempts.

🔍 How to Verify

Check if Vulnerable:

Check package.json or run 'npm list convict' to see installed version. If version is below 6.2.2, system is vulnerable.

Check Version:

npm list convict | grep convict

Verify Fix Applied:

After updating, verify version is 6.2.2 or higher with 'npm list convict' and test configuration parsing with known malicious inputs.

📡 Detection & Monitoring

Log Indicators:

Unexpected application crashes
Unusual configuration changes
Error messages related to prototype modification

Network Indicators:

Unusual HTTP requests to configuration endpoints
Malformed JSON payloads to configuration APIs

SIEM Query:

source="application.logs" AND ("prototype pollution" OR "convict error" OR "unexpected property")

📊 Metadata

CVE ID: CVE-2022-22143

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-1321

Published: May 1, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/mozilla/node-convict/blob/5eb1314f85346760a3c31cb14510f2f0af11d0d3/packages/convict/src/main.js%23L569 Broken Link
https://github.com/mozilla/node-convict/commit/3b86be087d8f14681a9c889d45da7fe3ad9cd880 Patch,Third Party Advisory
https://snyk.io/vuln/SNYK-JS-CONVICT-2340604 Exploit,Patch,Third Party Advisory
https://github.com/mozilla/node-convict/blob/5eb1314f85346760a3c31cb14510f2f0af11d0d3/packages/convict/src/main.js%23L569 Broken Link
https://github.com/mozilla/node-convict/commit/3b86be087d8f14681a9c889d45da7fe3ad9cd880 Patch,Third Party Advisory
https://snyk.io/vuln/SNYK-JS-CONVICT-2340604 Exploit,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-22143, you might also want to check these: