{"cve":{"cve_id":"CVE-2023-0163","is_kev":false,"kev_date_added":null,"kev_vendor_project":null,"kev_product":null,"kev_vulnerability_name":null,"kev_short_description":null,"kev_required_action":null,"kev_due_date":null,"kev_known_ransomware":null,"kev_notes":null,"kev_cwes":null,"epss_score":0.00275,"epss_percentile":0.19041,"epss_as_of":"2026-06-23","description":"Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability in Mozilla Convict.\n\nThis allows an attacker to inject attributes that are used in other components, or to override existing attributes with ones that have incompatible type, which may lead to a crash.\n\n\nThe main use case of Convict is for handling server-side \nconfigurations written by the admins owning the servers, and not random \nusers. So it's unlikely that an admin would deliberately sabotage their \nown server. Still, a situation can happen where an admin not \nknowledgeable about JavaScript could be tricked by an attacker into \nwriting the malicious JavaScript code into some config files.\n\n\n\nThis issue affects Convict: before 6.2.4.","published_at":"2024-11-26T11:36:26.574000Z","last_modified_at":null,"cvss_v3_score":8.4,"cvss_v3_vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","cvss_v3_severity":"HIGH","cvss_v4_score":null,"cvss_v4_vector":null,"cvss_v4_severity":null,"ssvc_decision":null,"ssvc_exploitation":"poc","ssvc_automatable":false,"ssvc_technical_impact":"total","cwes":["CWE-1321"],"nvd_references":["https://github.com/mozilla/node-convict/issues/410","https://github.com/mozilla/node-convict/security/advisories/GHSA-4jrm-c32x-w4jf"],"vuln_status":null,"trending_score":null,"is_trending":false,"has_trended":false,"trended_number_one":false,"trending_peak_score":null,"trending_peak_rank":null,"started_trending_at":null,"trended_number_one_at":null,"summary_generated":null,"summary_generated_at":null,"summary_model":null,"created_at":"2026-06-24T00:09:39.878444Z","updated_at":"2026-06-29T01:23:15.370465Z"},"effective_severity":"HIGH","badges":[],"impact_analysis":[],"cvss_v3_decoded":{"version":"3.1","metrics":[{"metric":"AV","name":"Attack Vector","value":"L","value_label":"Local"},{"metric":"AC","name":"Attack Complexity","value":"L","value_label":"Low"},{"metric":"PR","name":"Privileges Required","value":"N","value_label":"None"},{"metric":"UI","name":"User Interaction","value":"N","value_label":"None"},{"metric":"S","name":"Scope","value":"U","value_label":"Unchanged"},{"metric":"C","name":"Confidentiality","value":"H","value_label":"High"},{"metric":"I","name":"Integrity","value":"H","value_label":"High"},{"metric":"A","name":"Availability","value":"H","value_label":"High"}]},"cvss_v4_decoded":{"version":null,"metrics":[]},"affected":[{"vendor_slug":"mozilla","vendor_name":"Mozilla","product_slug":"convict","product_name":"Convict","version_start":"0","version_start_inclusive":true,"version_end":"6.2.4","version_end_inclusive":false,"cpe23_uri":"cve5:mozilla:convict:0:6.2.4"}],"exploit_refs":[],"news":[],"references":[{"url":"https://github.com/mozilla/node-convict/issues/410","source_type":"MISC","tags":[]},{"url":"https://github.com/mozilla/node-convict/security/advisories/GHSA-4jrm-c32x-w4jf","source_type":"VENDOR_ADVISORY","tags":["advisory"]}],"timeline":[{"type":"published","at":"2024-11-26T11:36:26.574000Z","label":"CVE published","source":null},{"type":"cvss_changed","at":"2026-06-28T17:25:33.319521Z","label":"CVSS score revised","source":"cvelistv5"},{"type":"cvss_changed","at":"2026-06-28T17:25:33.319521Z","label":"CVSS score revised","source":"cvelistv5"},{"type":"cvss_changed","at":"2026-06-28T17:25:33.319521Z","label":"CVSS score revised","source":"cvelistv5"},{"type":"ssvc_changed","at":"2026-06-29T01:23:15.370465Z","label":"SSVC decision revised","source":"vulnrichment"},{"type":"ssvc_changed","at":"2026-06-29T01:23:15.370465Z","label":"SSVC decision revised","source":"vulnrichment"},{"type":"ssvc_changed","at":"2026-06-29T01:23:15.370465Z","label":"SSVC decision revised","source":"vulnrichment"}]}