Summary by obaskly
This report details the discovery and responsible disclosure of a critical, unauthenticated Remote Code Execution (RCE) vulnerability within the NASA Common Metadata Repository (CMR). The vulnerability was caused by the unsafe implementation of Clojure's clojure.core/read-string function, which dynamically evaluated user input within the search parameter validation logic.
By injecting malicious Clojure reader macros into specific API endpoints, an unauthenticated attacker could bypass validation and execute arbitrary Java and OS-level commands on the underlying server. The NASA team rapidly patched the vulnerability by replacing the unsafe function with the secure clojure.edn/read-string alternative, ensuring user input is safely parsed as data rather than executable code.