CVE-2023-45282 – CVE-2023-45282 is a prototype pollution vulnera... (How to Fix)

Q: What is the severity of CVE-2023-45282?

CVE-2023-45282 has a CVSS score of 7.5 (HIGH). CVE-2023-45282 is a prototype pollution vulnerability in NASA Open MCT (openmct) that allows attackers to modify JavaScript object prototypes through malicious import actions. This can lead to remote code execution, denial of service, or privilege escalation. All users running Open MCT versions before 3.1.0 are affected.

📋 TL;DR

CVE-2023-45282 is a prototype pollution vulnerability in NASA Open MCT (openmct) that allows attackers to modify JavaScript object prototypes through malicious import actions. This can lead to remote code execution, denial of service, or privilege escalation. All users running Open MCT versions before 3.1.0 are affected.

💻 Affected Systems

Products:

NASA Open MCT (openmct)

Versions: All versions before 3.1.0

Operating Systems: All platforms running Node.js/JavaScript

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all deployments using the import functionality. No special configuration required for exploitation.

📦 What is this software?

Openmct by Nasa

View all CVEs affecting Openmct →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or lateral movement within the network.

🟠

Likely Case

Denial of service, application instability, or limited privilege escalation within the Open MCT application context.

🟢

If Mitigated

Limited impact if proper input validation and sandboxing are implemented, potentially causing only application errors.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires access to the import feature, which may require authentication depending on deployment.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.1.0 and later

Vendor Advisory: https://github.com/nasa/openmct/compare/v3.0.2...v3.1.0

Restart Required: Yes

Instructions:

1. Update Open MCT to version 3.1.0 or later using npm update openmct. 2. Restart the Open MCT application server. 3. Verify the fix by checking the version.

🔧 Temporary Workarounds

Disable Import Functionality

all

Temporarily disable the import feature in Open MCT configuration to prevent exploitation.

Modify Open MCT configuration to remove or disable import endpoints

Input Validation Proxy

all

Implement a reverse proxy or WAF to validate and sanitize import requests before they reach Open MCT.

Configure WAF rules to block suspicious import payloads

🧯 If You Can't Patch

Implement strict network segmentation to isolate Open MCT instances from critical systems.
Deploy runtime application self-protection (RASP) or similar tools to detect and block prototype pollution attempts.

🔍 How to Verify

Check if Vulnerable:

Check if Open MCT version is below 3.1.0 by examining package.json or running npm list openmct.

Check Version:

npm list openmct | grep openmct

Verify Fix Applied:

Confirm version is 3.1.0 or higher and test import functionality with known safe payloads.

📡 Detection & Monitoring

Log Indicators:

Unusual import requests with malformed JSON/objects
Application errors related to prototype modification
Unexpected property assignments in object logs

Network Indicators:

HTTP POST requests to import endpoints with suspicious payloads
Unusual traffic patterns to Open MCT import functionality

SIEM Query:

source="openmct" AND (http_method="POST" AND uri_path="/import" AND (payload_contains="__proto__" OR payload_contains="constructor"))

📊 Metadata

CVE ID: CVE-2023-45282

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-1321

Published: October 6, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/nasa/openmct/compare/v3.0.2...v3.1.0 Product
https://github.com/nasa/openmct/pull/7094/commits/545a1770c523ecc3410dca884c6809d5ff0f9d52 Patch
https://nasa.github.io/openmct/ Product
https://www.linkedin.com/pulse/prototype-pollution-nasas-open-mct-cve-2023-45282 Third Party Advisory
https://github.com/nasa/openmct/compare/v3.0.2...v3.1.0 Product
https://github.com/nasa/openmct/pull/7094/commits/545a1770c523ecc3410dca884c6809d5ff0f9d52 Patch
https://nasa.github.io/openmct/ Product
https://www.linkedin.com/pulse/prototype-pollution-nasas-open-mct-cve-2023-45282 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-45282, you might also want to check these: