CVE-2023-0163
📋 TL;DR
This CVE describes a Prototype Pollution vulnerability in Mozilla Convict, a Node.js configuration management library. Attackers can inject or override object attributes, potentially causing crashes or enabling further attacks. Systems using Convict versions before 6.2.4 for server-side configuration management are affected.
💻 Affected Systems
- Mozilla Convict
📦 What is this software?
Convict by Mozilla
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution or complete server compromise through prototype pollution leading to arbitrary code execution.
Likely Case
Server crashes or denial of service due to incompatible type overrides, potentially disrupting application functionality.
If Mitigated
Limited to configuration corruption if input validation prevents malicious payloads, but still risks stability issues.
🎯 Exploit Status
Exploitation requires ability to modify configuration files, typically requiring admin access or social engineering of administrators.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.2.4
Vendor Advisory: https://github.com/mozilla/node-convict/security/advisories/GHSA-4jrm-c32x-w4jf
Restart Required: Yes
Instructions:
1. Update package.json to specify 'convict': '>=6.2.4'. 2. Run 'npm update convict' or 'yarn upgrade convict'. 3. Restart all Node.js applications using Convict.
🔧 Temporary Workarounds
Input Validation
allImplement strict validation of configuration file inputs to prevent malicious payloads.
Implement schema validation for all configuration inputs
Use JSON schema validation before Convict parsing
Configuration File Permissions
linuxRestrict write access to configuration files to trusted administrators only.
chmod 600 config/*.json
setfacl -m u:trustedadmin:rw config/*.json
🧯 If You Can't Patch
- Implement strict access controls on configuration files to prevent unauthorized modifications.
- Use alternative configuration management libraries that are not vulnerable to prototype pollution.
🔍 How to Verify
Check if Vulnerable:
Check package.json or package-lock.json for convict version. If version is below 6.2.4, system is vulnerable.Check Version:
npm list convict | grep convictVerify Fix Applied:
Verify convict version is 6.2.4 or higher using 'npm list convict' or checking package.json.📡 Detection & Monitoring
Log Indicators:
- Unexpected server crashes or restarts
- Configuration parsing errors with unusual property names
- Prototype modification warnings in Node.js logs
Network Indicators:
- Unusual configuration file uploads or modifications
- Admin interface access from unexpected locations
SIEM Query:
source="application.logs" AND ("convict" OR "config") AND ("crash" OR "error" OR "prototype")