CVE-2022-21190 Overview
CVE-2022-21190 is a prototype pollution vulnerability affecting the Mozilla Convict configuration management library for Node.js. This vulnerability represents a bypass of a previous security fix (CVE-2022-22143), allowing attackers to pollute JavaScript object prototypes through specially crafted configuration paths.
The original fix introduced in response to CVE-2022-22143 relied on the startsWith method to check if configuration paths began with dangerous strings like __proto__ or this.constructor.prototype. However, this validation can be trivially bypassed by prepending any string value followed by a dot before the forbidden paths, such as foo.__proto__ or foo.this.constructor.prototype.
Critical Impact
Successful exploitation enables remote attackers to modify JavaScript object prototypes without authentication, potentially leading to arbitrary code execution, denial of service, or complete application compromise.
Affected Products
- Mozilla Convict (versions before 6.2.3)
- Node.js applications using vulnerable convict versions
Discovery Timeline
- May 13, 2022 - CVE-2022-21190 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2022-21190
Vulnerability Analysis
This vulnerability is a classic example of incomplete input validation leading to prototype pollution. When the initial CVE-2022-22143 was disclosed, Mozilla implemented a fix that checked if configuration paths started with forbidden strings like __proto__ or this.constructor.prototype. However, the validation logic failed to account for nested property paths where the dangerous string appears after the first property accessor.
Prototype pollution in JavaScript occurs when an attacker can inject properties into the base Object.prototype, which is then inherited by all objects in the application. In the context of Convict, this allows attackers to inject malicious configuration values that propagate throughout the application, potentially affecting security-critical settings, authentication mechanisms, or enabling code execution through gadget chains.
The network-accessible nature of this vulnerability, combined with no authentication requirements, makes it particularly dangerous for Node.js applications exposed to untrusted input.
Root Cause
The root cause lies in the insufficient path validation logic in the Convict library. The fix for CVE-2022-22143 only checked if paths started with forbidden strings (__proto__ and this.constructor.prototype). This approach fails to prevent prototype pollution when the dangerous path segment appears anywhere other than the beginning of the configuration path.
The startsWith method validation could be bypassed simply by prepending an arbitrary property name (e.g., foo.) before the forbidden path segments, effectively circumventing the security check while still achieving prototype pollution.
Attack Vector
The attack exploits the incomplete path validation by constructing configuration paths that include prototype-polluting segments after an initial benign property name. An attacker can supply configuration input containing paths like:
- foo.__proto__.isAdmin to inject an isAdmin property into all objects
- bar.this.constructor.prototype.authenticated to inject authentication bypass values
Since Convict is commonly used to process configuration from various sources including environment variables, files, and potentially user-controlled input, applications that pass untrusted data through Convict's configuration parsing are vulnerable to this attack.
// Security patch in packages/convict/src/main.js - More complete fix for prototype pollution
// Forbidden key paths, for protection against prototype pollution
const FORBIDDEN_KEY_PATHS = [
- '__proto__',
- 'this.constructor.prototype',
+ '__proto__.',
+ 'this.constructor.prototype.',
]
const ALLOWED_OPTION_STRICT = 'strict'
Source: GitHub Node-Convict Commit
The patch addresses the vulnerability by changing the forbidden path checks to include the trailing dot, enabling detection of these dangerous path segments regardless of where they appear in the full configuration path.
Detection Methods for CVE-2022-21190
Indicators of Compromise
- Unusual configuration values appearing in application objects that were not explicitly defined
- Unexpected properties on JavaScript base prototypes (Object.prototype)
- Application behavior anomalies related to authentication or authorization
- Configuration parsing errors or unexpected type coercion in application logs
Detection Strategies
- Implement Software Composition Analysis (SCA) scanning to identify vulnerable Convict versions in your dependency tree
- Monitor application logs for configuration path patterns containing __proto__ or constructor.prototype substrings
- Use runtime protection tools that detect and block prototype pollution attempts
- Deploy Node.js application security monitoring to detect unusual object property modifications
Monitoring Recommendations
- Enable verbose logging for Convict configuration parsing operations
- Implement application-level monitoring for prototype pollution indicators using tools like Object.freeze(Object.prototype) in development environments
- Set up dependency vulnerability alerts through npm audit, Snyk, or similar tools
- Monitor for unexpected property access patterns in production applications
How to Mitigate CVE-2022-21190
Immediate Actions Required
- Upgrade Mozilla Convict to version 6.2.3 or later immediately
- Audit all applications using Convict for exposure to untrusted configuration input
- Review configuration sources to ensure user-controlled data cannot reach Convict parsing functions
- Implement input validation and sanitization for any configuration paths before passing to Convict
Patch Information
Mozilla has released version 6.2.3 of Convict which addresses this prototype pollution bypass. The fix modifies the FORBIDDEN_KEY_PATHS array to include trailing dots, allowing the validation to detect dangerous path segments anywhere in the configuration path rather than only at the beginning.
The security patch is available in the GitHub Node-Convict Commit. Additional details can be found in the Snyk Vulnerability Report.
Workarounds
- Freeze the Object prototype using Object.freeze(Object.prototype) as a defense-in-depth measure (may cause compatibility issues with some libraries)
- Implement custom input sanitization to reject configuration paths containing __proto__ or constructor substrings
- Isolate Convict configuration processing in a sandboxed environment or separate process
- Use schema validation to strictly define allowed configuration keys and reject unexpected paths
# Configuration example
# Upgrade convict to patched version
npm update convict@6.2.3
# Or explicitly install the fixed version
npm install convict@^6.2.3
# Verify installed version
npm list convict
# Run security audit to check for other vulnerabilities
npm audit
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
