Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit d2ff12df8c1f · 2026-03-26T18:57:31.000Z
GHSA-44fc-8fm5-q62h GHSA-cg6c-q2hx-69h7
diff --git a/advisories/github-reviewed/2026/03/GHSA-44fc-8fm5-q62h/GHSA-44fc-8fm5-q62h.json b/advisories/github-reviewed/2026/03/GHSA-44fc-8fm5-q62h/GHSA-44fc-8fm5-q62h.json
@@ -0,0 +1,64 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-44fc-8fm5-q62h",
+  "modified": "2026-03-26T18:55:41Z",
+  "published": "2026-03-26T18:55:41Z",
+  "aliases": [
+    "CVE-2026-33864"
+  ],
+  "summary": "Convict has Prototype Pollution via startsWith() function",
+  "details": "### Summary\nA prototype pollution vulnerability exists in the latest version of the convict npm package (6.2.4). Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input started with a forbidden key, it is still possible to pollute `Object.prototype` via a crafted input using `String.prototype`. \n\n### Details\nThe vulnerability resides in line 564 of https://github.com/mozilla/node-convict/blob/master/packages/convict/src/main.js where `startsWith()` function is used to check whether user provided input contain forbidden strings. \n\n### PoC\n#### Steps to reproduce\n1. Install latest version of convict using `npm install` or cloning from git\n2. Run the following code snippet:\n\n```javascript\nString.prototype.startsWith = () => false; \nconst convict = require('convict');\nlet obj = {};\nconst config = convict(obj);\nconsole.log({}.polluted);\nconfig.set('constructor.prototype.polluted', 'yes');\nconsole.log({}.polluted);    // prints yes -> the patch is bypassed and prototype pollution occurred\n```\n\n#### Expected behavior\nPrototype pollution should be prevented and {} should not gain new properties.\nThis should be printed on the console:\n```\nundefined\nundefined OR throw an Error\n```\n\n#### Actual behavior\n`Object.prototype` is polluted \nThis is printed on the console:\n```\nundefined \nyes\n```\n\n### Impact\nThis is a prototype pollution vulnerability, which can have severe security implications depending on how convict is used by downstream applications. Any application that processes attacker-controlled input using `convict.set`  may be affected.\nIt could potentially lead to the following problems:\n\n1. Authentication bypass\n2. Denial of service\n3. Remote code execution (if polluted property is passed to sinks like eval or child_process)",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "convict"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "6.2.5"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 6.2.4"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/mozilla/node-convict/security/advisories/GHSA-44fc-8fm5-q62h"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/mozilla/node-convict"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/mozilla/node-convict/blob/master/packages/convict/src/main.js"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-1321"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-26T18:55:41Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/03/GHSA-cg6c-q2hx-69h7/GHSA-cg6c-q2hx-69h7.json b/advisories/github-reviewed/2026/03/GHSA-cg6c-q2hx-69h7/GHSA-cg6c-q2hx-69h7.json
@@ -0,0 +1,59 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-cg6c-q2hx-69h7",
+  "modified": "2026-03-26T18:56:32Z",
+  "published": "2026-03-26T18:56:32Z",
+  "aliases": [],
+  "summary": "OpenClaw: Plivo V2 verified replay identity drifts on query-only variants",
+  "details": "## Summary\nBefore `v2026.3.23`, the Plivo V2 verification path treated query-only variants of the same signed request as fresh verified work. Plivo V2 signatures authenticate `baseUrl + nonce`, but the replay key was derived from the full verification URL including the query string, so unsigned query-only changes minted a new `verifiedRequestKey`.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected: `< 2026.3.23`\n- Fixed: `>= 2026.3.23`\n- Latest released tag checked: `v2026.3.23-2` (`630f1479c44f78484dfa21bb407cbe6f171dac87`)\n- Latest published npm version checked: `2026.3.23-2`\n\n## Root Cause\nThe vulnerable logic lived in `extensions/voice-call/src/webhook-security.ts`. V2 signature validation already canonicalized to the base URL without query parameters, but the replay key used the full `verificationUrl`, letting query-only variants bypass replay identity stability.\n\n## Fix Commit(s)\n- `b0ce53a79cf63834660270513e26d921899b4e5b` — `fix(voice-call): stabilize plivo v2 replay keys`\n\n## Release Status\nThe fix commit is contained in released tags `v2026.3.23` and `v2026.3.23-2`. The latest shipped tag and npm release both include the fix.\n\n## Code-Level Confirmation\n- `extensions/voice-call/src/webhook-security.ts` now derives the V2 replay key with `createPlivoV2ReplayKey(...)`, which hashes `getBaseUrlNoQuery(url)` plus the nonce.\n- `extensions/voice-call/src/webhook-security.test.ts` contains the regression test `treats query-only V2 variants as the same verified request`.\n\nOpenClaw thanks @smaeljaish771 for reporting.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "openclaw"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2026.3.23"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-cg6c-q2hx-69h7"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/commit/b0ce53a79cf63834660270513e26d921899b4e5b"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/openclaw/openclaw"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-294"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-26T18:56:32Z",
+    "nvd_published_at": null
+  }
+}
