Login Sign Up

CVE-2023-45811

8.1 HIGH
Remote Code Execution

📋 TL;DR

This CVE describes a __proto__ pollution vulnerability in Synchrony deobfuscator versions before 2.4.4 that allows attackers to modify the Object prototype through crafted input to the LiteralMap transformer. Successful exploitation could lead to arbitrary code execution. Users of vulnerable versions of this JavaScript deobfuscation tool are affected.

💻 Affected Systems

Products:
  • Synchrony deobfuscator
Versions: Versions before v2.4.4
Operating Systems: All platforms running Node.js
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in the LiteralMap transformer component when processing malicious input.

📦 What is this software?

Synchrony by Relative

View all CVEs affecting Synchrony →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Local privilege escalation or denial of service through prototype pollution attacks.

🟢

If Mitigated

Limited impact with proper input validation and security controls in place.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires crafting specific input to trigger the prototype pollution vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: deobfuscator@2.4.4

Vendor Advisory: https://github.com/relative/synchrony/security/advisories/GHSA-jg82-xh3w-rhxx

Restart Required: No

Instructions:

1. Update package.json to specify 'deobfuscator': '^2.4.4' 2. Run 'npm update deobfuscator' 3. Verify installation with 'npm list deobfuscator'

🔧 Temporary Workarounds

Disable __proto__ manipulation

all

Launch Node.js with flags to disable __proto__ manipulation

node --disable-proto=delete your_script.js
node --disable-proto=throw your_script.js

🧯 If You Can't Patch

  • Implement strict input validation and sanitization for all user inputs
  • Run the application with minimal privileges and in isolated environments

🔍 How to Verify

Check if Vulnerable:

Check package.json for deobfuscator version <2.4.4 or run 'npm list deobfuscator'

Check Version:

npm list deobfuscator | grep deobfuscator

Verify Fix Applied:

Confirm deobfuscator version is 2.4.4 or higher using 'npm list deobfuscator'

📡 Detection & Monitoring

Log Indicators:

  • Unusual prototype modification attempts
  • Unexpected object property changes
  • Stack traces showing LiteralMap transformer errors

Network Indicators:

  • Malformed JavaScript input patterns
  • Suspicious deobfuscation requests

SIEM Query:

source="application_logs" AND ("__proto__" OR "prototype pollution" OR "LiteralMap")

📊 Metadata

CVE ID: CVE-2023-45811
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-1321
Published: October 17, 2023
Last Updated: July 22, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-45811, you might also want to check these:

CVE-2024-38999 10.0

CVE-2024-38999 is a prototype pollution vulnerability in requirejs v2.3.6 that allows attackers to i...

Same vulnerability type (CWE-1321)
CVE-2024-39008 10.0

CVE-2024-39008 is a prototype pollution vulnerability in robinweser's fast-loops library version 1.1...

Same vulnerability type (CWE-1321)
CVE-2021-25953 9.8

CVE-2021-25953 is a prototype pollution vulnerability in the 'putil-merge' npm package that allows a...

Same vulnerability type (CWE-1321)