CVE-2025-68930
Received Received - Intake
Cross-Site WebSocket Hijacking in Traccar `/api/socket` Endpoint

Publication date: 2026-02-23

Last updated on: 2026-02-26

Assigner: GitHub, Inc.

Description
Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain a Cross-Site WebSocket Hijacking (CSWSH) vulnerability in the `/api/socket` endpoint. The application fails to validate the `Origin` header during the WebSocket handshake. This allows a remote attacker to bypass the Same Origin Policy (SOP) and establish a full-duplex WebSocket connection using a legitimate user's credentials (JSESSIONID). As of time of publication, it is unclear whether a fix is available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-23
Last Modified
2026-02-26
Generated
2026-06-16
AI Q&A
2026-02-23
EPSS Evaluated
2026-06-14
NVD
CVE-2025-68930
EUVD
EUVD-2025-207618
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
traccar traccar to 6.11.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1385 The product uses a WebSocket, but it does not properly verify that the source of data or communication is valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation involves implementing strict validation of the Origin header during the WebSocket handshake on the server side.'}, {'type': 'paragraph', 'content': 'Specifically, the server should maintain an allowlist of trusted domains (such as its own domain) and reject any WebSocket handshake requests with missing or untrusted Origin headers by returning HTTP 403 Forbidden instead of upgrading the connection.'}, {'type': 'paragraph', 'content': "For Traccar's Jetty-based implementation, this means modifying the WebSocketCreator or handshake handler to explicitly validate the Origin header before creating the WebSocket instance."}, {'type': 'paragraph', 'content': 'Until a patch is available, monitoring and blocking suspicious WebSocket handshake requests with invalid Origin headers can help reduce risk.'}] [1]

Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2025-68930 is a Cross-Site WebSocket Hijacking (CSWSH) vulnerability found in the Traccar GPS tracking system versions up to 6.11.1. The issue occurs because the application does not validate the Origin header during the WebSocket handshake on the `/api/socket` endpoint.'}, {'type': 'paragraph', 'content': "This lack of validation allows a remote attacker to bypass the Same Origin Policy (SOP) by sending a WebSocket handshake request with a forged Origin header from an arbitrary external domain. The server accepts this request and establishes a full-duplex WebSocket connection using the legitimate user's session credentials (JSESSIONID)."}, {'type': 'paragraph', 'content': 'As a result, the attacker can access sensitive real-time data streamed over the WebSocket, such as live phone geolocation (latitude and longitude), device metadata including deviceId, protocol type, and battery level.'}] [1]

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can have a critical impact by allowing unauthorized remote attackers to access sensitive real-time location data and device information of legitimate users without their consent.'}, {'type': 'list_item', 'content': 'Attackers can bypass access controls and the Same Origin Policy to hijack WebSocket connections.'}, {'type': 'list_item', 'content': 'Sensitive data exposed includes live geolocation coordinates, device identifiers, protocol types, and battery levels.'}, {'type': 'list_item', 'content': "The attack requires the victim to be logged in and to visit a malicious website, enabling the attacker to use the victim's session credentials."}, {'type': 'list_item', 'content': 'Confidentiality is severely compromised, but availability is not affected.'}] [1]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by monitoring WebSocket handshake requests to the `/api/socket` endpoint and inspecting the Origin header. If the Origin header is missing, untrusted, or does not match the server's domain, it indicates a potential exploitation attempt."}, {'type': 'paragraph', 'content': 'A proof-of-concept was demonstrated using Burp Suite to intercept and modify the Origin header during the WebSocket handshake. Additionally, a Python script was used to automate sending malicious handshake requests with forged Origin headers and valid JSESSIONID cookies.'}, {'type': 'paragraph', 'content': 'To detect this on your system, you can use network traffic analysis tools like tcpdump or Wireshark to capture WebSocket handshake requests and filter for suspicious Origin headers.'}, {'type': 'list_item', 'content': "Use tcpdump to capture WebSocket handshake traffic on port 80 or 443: tcpdump -i <interface> -A 'tcp port 80 or tcp port 443' | grep 'GET /api/socket'"}, {'type': 'list_item', 'content': 'Use Wireshark to filter HTTP requests to `/api/socket` and inspect the Origin header for unexpected values.'}, {'type': 'list_item', 'content': 'Use Burp Suite or similar proxy tools to intercept and analyze WebSocket handshake requests and verify if Origin header validation is enforced.'}] [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68930. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart