How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability allows a low-privileged authenticated user to bypass prototype boundary filtering and read internal prototype properties, violating data isolation and exposing sensitive internal information.

This exposure of sensitive information could potentially impact compliance with data protection standards and regulations such as GDPR and HIPAA, which require strict controls on data confidentiality and integrity.

However, the vulnerability does not allow arbitrary code execution or modification of data, limiting the scope of impact to unauthorized data exposure.

The issue was fixed in version 2.24.0 by validating the 'from' field in JSON patch operations to prevent prototype pollution attacks.

Useful 0 Not Useful 0

Can you explain this vulnerability to me?

CVE-2026-35038 is a low-severity vulnerability in the Signal K Server application prior to version 2.24.0. It arises from improper input validation in the JSON Patch operations endpoint, specifically in the handling of the 'from' field used in 'copy' and 'move' operations.

The vulnerability allows a low-privileged authenticated user to bypass prototype boundary filtering by exploiting the fact that the security check only inspects the 'path' field but ignores the 'from' field. This enables the attacker to read internal functions and properties from the global prototype object, violating data isolation.

Although this does not allow arbitrary code execution, it exposes sensitive internal information by copying prototype properties into application data.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability allows a low-privileged authenticated user to read internal prototype properties and functions that should be inaccessible, violating data isolation principles.

While it does not enable code execution or direct system compromise, it exposes sensitive internal information that could be used for further attacks or to gain insights into the system's internals.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring requests to the `/signalk/v1/applicationData/...JSON-patch` endpoint for suspicious JSON Patch operations that use the `from` field to reference prototype properties such as `/__proto__/toString`.

A practical way to detect exploitation attempts is to look for HTTP POST requests with JSON payloads containing operations like `copy` or `move` where the `from` field includes dangerous segments such as `__proto__`, `constructor`, or `prototype`.

Example command to test if the vulnerability exists (requires valid authentication token):

• curl -X POST http://localhost:3000/signalk/v1/applicationData/global/testapp/1.0 -H "Content-Type: application/json" -H "Authorization: Bearer $TOKEN" -d '[{"op": "copy", "from": "/__proto__/toString", "path": "/stolen"}]'

If the server responds with 200 OK and accepts the patch, it indicates the vulnerability is present. If it rejects the request with an error (e.g., 400 Bad Request), the vulnerability may be mitigated.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The immediate and recommended mitigation is to upgrade the Signal K Server to version 2.24.0 or later, where this vulnerability has been fixed.

The fix involves updating the server code to validate both the `path` and `from` fields in JSON Patch operations to prevent prototype pollution attacks.

Until the upgrade can be applied, consider monitoring and blocking suspicious JSON Patch requests that use the `from` field with prototype-related paths.

Additionally, review and restrict access to the `/signalk/v1/applicationData` endpoint to only trusted and authenticated users, as the vulnerability requires low-privileged authenticated access.

Useful 0 Not Useful 0