CVE-2023-49958
Description
An issue was discovered in Dalmann OCPP.Core through 1.2.0 for OCPP (Open Charge Point Protocol) for electric vehicles. The server processes mishandle StartTransaction messages containing additional, arbitrary properties, or duplicate properties. The last occurrence of a duplicate property is accepted. This could be exploited to alter transaction records or impact system integrity.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OCPP.Core before 1.3.0 accepts duplicate and arbitrary properties in StartTransaction messages, allowing transaction record manipulation.
Vulnerability
The Dalmann OCPP.Core server through version 1.2.0 mishandles StartTransaction messages by accepting additional, arbitrary properties and duplicate properties without validation. When duplicate properties are present, the server processes the last occurrence and ignores any previous valid values. The affected versions are all releases up to and including 1.2.0 [1].
Exploitation
An attacker with network access to the OCPP server can craft a StartTransaction message containing duplicate properties (e.g., two different connectorId values) or additional arbitrary properties. The server accepts the message and uses the last occurrence of duplicate properties for processing. No authentication or special privilege is required beyond the ability to send OCPP messages [1].
Impact
Successful exploitation allows the attacker to alter transaction records, such as changing the connector ID or other properties that affect system behavior. This can lead to misconfiguration, incorrect billing, or denial of legitimate charging sessions, impacting system integrity and data reliability [1].
Mitigation
The issue is fixed in OCPP.Core version 1.3.0, released on 2024-01-15 according to the project repository. Users should upgrade to 1.3.0 or later. No workaround is documented for earlier versions [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Dalmann/OCPP.Coredescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing validation of message properties allows acceptance of arbitrary and duplicate fields in StartTransaction messages."
Attack vector
An attacker sends a crafted StartTransaction message to the OCPP server containing either additional arbitrary properties or duplicate properties (e.g., two different connectorId values). The server processes the message using the last occurrence of any duplicate property, without rejecting the malformed input [ref_id=1]. This can be exploited remotely over the network by any entity able to send OCPP messages to the server, with no special authentication or configuration prerequisites beyond network access.
Affected code
The advisory does not specify exact file paths or function names. The vulnerability lies in the server-side message handling logic for OCPP StartTransaction messages, where the deserialization code accepts arbitrary and duplicate JSON properties without validation [ref_id=1].
What the fix does
No patch is published in the advisory [ref_id=1]. The recommended remediation is to implement validation that rejects StartTransaction messages containing unknown additional properties or duplicate properties, rather than silently accepting the last occurrence of a duplicate [ref_id=1].
Preconditions
- networkNetwork access to the OCPP server endpoint
- inputAbility to send a crafted StartTransaction message
Reproduction
Send a StartTransaction message with duplicate properties, such as two different connectorId values. Observe that the server accepts the message and processes it based on the last occurrence of the duplicate property [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.