Compliance Impact

The vulnerability allows a low-privileged authenticated user to bypass prototype boundary filtering and read internal prototype properties, violating data isolation and exposing sensitive internal information.

This exposure of sensitive information could potentially impact compliance with data protection standards and regulations such as GDPR and HIPAA, which require strict controls on data confidentiality and integrity.

However, the vulnerability does not allow arbitrary code execution or modification of data, limiting the scope of impact to unauthorized data exposure.

The issue was fixed in version 2.24.0 by validating the 'from' field in JSON patch operations to prevent prototype pollution attacks.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-35038 is a low-severity vulnerability in the Signal K Server application prior to version 2.24.0. It arises from improper input validation in the JSON Patch operations endpoint, specifically in the handling of the 'from' field used in 'copy' and 'move' operations.

The vulnerability allows a low-privileged authenticated user to bypass prototype boundary filtering by exploiting the fact that the security check only inspects the 'path' field but ignores the 'from' field. This enables the attacker to read internal functions and properties from the global prototype object, violating data isolation.

Although this does not allow arbitrary code execution, it exposes sensitive internal information by copying prototype properties into application data.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows a low-privileged authenticated user to read internal prototype properties and functions that should be inaccessible, violating data isolation principles.

While it does not enable code execution or direct system compromise, it exposes sensitive internal information that could be used for further attacks or to gain insights into the system's internals.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring requests to the `/signalk/v1/applicationData/...JSON-patch` endpoint for suspicious JSON Patch operations that use the `from` field to reference prototype properties such as `/__proto__/toString`.

A practical way to detect exploitation attempts is to look for HTTP POST requests with JSON payloads containing operations like `copy` or `move` where the `from` field includes dangerous segments such as `__proto__`, `constructor`, or `prototype`.

Example command to test if the vulnerability exists (requires valid authentication token):

• curl -X POST http://localhost:3000/signalk/v1/applicationData/global/testapp/1.0 -H "Content-Type: application/json" -H "Authorization: Bearer $TOKEN" -d '[{"op": "copy", "from": "/__proto__/toString", "path": "/stolen"}]'

If the server responds with 200 OK and accepts the patch, it indicates the vulnerability is present. If it rejects the request with an error (e.g., 400 Bad Request), the vulnerability may be mitigated.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate and recommended mitigation is to upgrade the Signal K Server to version 2.24.0 or later, where this vulnerability has been fixed.

The fix involves updating the server code to validate both the `path` and `from` fields in JSON Patch operations to prevent prototype pollution attacks.

Until the upgrade can be applied, consider monitoring and blocking suspicious JSON Patch requests that use the `from` field with prototype-related paths.

Additionally, review and restrict access to the `/signalk/v1/applicationData` endpoint to only trusted and authenticated users, as the vulnerability requires low-privileged authenticated access.

Useful 0 Not Useful 0