CVE-2023-45282: 
JavaScript vulnerability analysis and mitigation

In NASA Open MCT (aka openmct) before version 3.1.0, a prototype pollution vulnerability was discovered that could occur via an import action. The vulnerability was identified and tracked as CVE-2023-45282, with the initial disclosure made on October 6, 2023 (NVD, CVE).

The vulnerability exists in the Import from JSON functionality, specifically in the _deepInstantiate function located in the ImportFromJSONAction.js file of the ImportFromJSON plugin. The function recursively processes objects reconstructed from imported JSON files without proper validation, allowing for prototype pollution. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD, LinkedIn Article).

The vulnerability can lead to Denial of Service (DoS) when a malicious JSON file is imported. In some cases, the impact persists even after page refresh, particularly with certain plugins like the Plan plugin. While the immediate impact is DoS, depending on the plugin and its functionality, the business logic of the application could be compromised, potentially leading to more severe consequences such as Cross-Site Scripting (XSS) or Cross-Site-Request-Forgery (CSRF) (LinkedIn Article).

The vulnerability has been patched in Open MCT version 3.1.0. The fix involves adding validation checks in the deepInstantiate function to verify and remove any explicit _proto__ properties in imported JSON objects. Organizations using affected versions should upgrade to version 3.1.0 or later (GitHub Commit).