CVE-2026-35038: Arbitrary Prototype Read in Signal K Server via JSON-Patch Bypass
Vulnerability ID: CVE-2026-35038
CVSS Score: 2.1
Published: 2026-04-03
Signal K Server prior to version 2.24.0 contains an input validation flaw in its JSON-patch endpoint. The application fails to validate the from field during copy and move operations, allowing authenticated users to read sensitive properties from the global prototype object.
TL;DR
An incomplete input validation check in the Signal K Server JSON-patch handler allows authenticated attackers to bypass prototype pollution defenses and read internal server properties via the from field.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-20
- Attack Vector: Network
- CVSS Score: 2.1
- Impact: Low Confidentiality
- Exploit Status: Proof of Concept
- Authentication: Required (Low Privileges)
Affected Systems
- Signal K Server instances running versions prior to 2.24.0
-
Signal K Server: < 2.24.0 (Fixed in:
2.24.0)
Exploit Details
- GitHub Advisory: Primary advisory detailing the JSON-patch bypass mechanism.
Mitigation Strategies
- Upgrade Signal K Server to version 2.24.0 or newer.
- Deploy Web Application Firewall (WAF) rules to filter JSON payloads containing prototype pollution keywords (
__proto__,constructor,prototype). - Implement strict object property iteration protections throughout the Node.js application stack.
Remediation Steps:
- Identify the current version of the Signal K Server running on the marine hub.
- Review the vendor release notes for version 2.24.0.
- Create a backup of the current Signal K Server configuration and data.
- Execute the update procedure using NPM:
npm install -g signalk-server@latest. - Restart the server process and verify system stability.
- Conduct a verification test using the PoC payload to confirm the vulnerability is mitigated.
References
- GHSA-qh3j-mrg8-f234 Security Advisory
- Signal K Server v2.24.0 Release Notes
- NVD Vulnerability Detail - CVE-2026-35038
- CVE.org Record - CVE-2026-35038
Read the full report for CVE-2026-35038 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)