CVE-2022-21803
HIGHnconf < 0.11.4 - Prototype Pollution via .set() Function
Title source: llmDescription
This affects the package nconf before 0.11.4. When using the memory engine, it is possible to store a nested JSON representation of the configuration. The .set() function, that is responsible for setting the configuration properties, is vulnerable to Prototype Pollution. By providing a crafted property, it is possible to modify the properties on the Object.prototype.
References (4)
Core 4
Core References
Exploit, Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-JS-NCONF-2395478
Exploit, Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2632450
Issue Tracking, Patch, Third Party Advisory x_refsource_misc
https://github.com/indexzero/nconf/pull/397
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/indexzero/nconf/releases/tag/v0.11.4
Scores
CVSS v3
7.3
EPSS
0.0170
EPSS Percentile
74.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Details
CWE
CWE-1321
Status
published
Products (2)
nconf_project/nconf
< 0.11.4
npm/nconf
0 - 0.11.4npm
Published
Apr 12, 2022
Tracked Since
Feb 18, 2026