CVE-2025-68930
Cross-Site WebSocket Hijacking in Traccar `/api/socket` Endpoint
Publication date: 2026-02-23
Last updated on: 2026-02-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| traccar | traccar | to 6.11.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1385 | The product uses a WebSocket, but it does not properly verify that the source of data or communication is valid. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation involves implementing strict validation of the Origin header during the WebSocket handshake on the server side.'}, {'type': 'paragraph', 'content': 'Specifically, the server should maintain an allowlist of trusted domains (such as its own domain) and reject any WebSocket handshake requests with missing or untrusted Origin headers by returning HTTP 403 Forbidden instead of upgrading the connection.'}, {'type': 'paragraph', 'content': "For Traccar's Jetty-based implementation, this means modifying the WebSocketCreator or handshake handler to explicitly validate the Origin header before creating the WebSocket instance."}, {'type': 'paragraph', 'content': 'Until a patch is available, monitoring and blocking suspicious WebSocket handshake requests with invalid Origin headers can help reduce risk.'}] [1]
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2025-68930 is a Cross-Site WebSocket Hijacking (CSWSH) vulnerability found in the Traccar GPS tracking system versions up to 6.11.1. The issue occurs because the application does not validate the Origin header during the WebSocket handshake on the `/api/socket` endpoint.'}, {'type': 'paragraph', 'content': "This lack of validation allows a remote attacker to bypass the Same Origin Policy (SOP) by sending a WebSocket handshake request with a forged Origin header from an arbitrary external domain. The server accepts this request and establishes a full-duplex WebSocket connection using the legitimate user's session credentials (JSESSIONID)."}, {'type': 'paragraph', 'content': 'As a result, the attacker can access sensitive real-time data streamed over the WebSocket, such as live phone geolocation (latitude and longitude), device metadata including deviceId, protocol type, and battery level.'}] [1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can have a critical impact by allowing unauthorized remote attackers to access sensitive real-time location data and device information of legitimate users without their consent.'}, {'type': 'list_item', 'content': 'Attackers can bypass access controls and the Same Origin Policy to hijack WebSocket connections.'}, {'type': 'list_item', 'content': 'Sensitive data exposed includes live geolocation coordinates, device identifiers, protocol types, and battery levels.'}, {'type': 'list_item', 'content': "The attack requires the victim to be logged in and to visit a malicious website, enabling the attacker to use the victim's session credentials."}, {'type': 'list_item', 'content': 'Confidentiality is severely compromised, but availability is not affected.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by monitoring WebSocket handshake requests to the `/api/socket` endpoint and inspecting the Origin header. If the Origin header is missing, untrusted, or does not match the server's domain, it indicates a potential exploitation attempt."}, {'type': 'paragraph', 'content': 'A proof-of-concept was demonstrated using Burp Suite to intercept and modify the Origin header during the WebSocket handshake. Additionally, a Python script was used to automate sending malicious handshake requests with forged Origin headers and valid JSESSIONID cookies.'}, {'type': 'paragraph', 'content': 'To detect this on your system, you can use network traffic analysis tools like tcpdump or Wireshark to capture WebSocket handshake requests and filter for suspicious Origin headers.'}, {'type': 'list_item', 'content': "Use tcpdump to capture WebSocket handshake traffic on port 80 or 443: tcpdump -i <interface> -A 'tcp port 80 or tcp port 443' | grep 'GET /api/socket'"}, {'type': 'list_item', 'content': 'Use Wireshark to filter HTTP requests to `/api/socket` and inspect the Origin header for unexpected values.'}, {'type': 'list_item', 'content': 'Use Burp Suite or similar proxy tools to intercept and analyze WebSocket handshake requests and verify if Origin header validation is enforced.'}] [1]