CVE-2025-68930

Name of the Vulnerable Software and Affected Versions Traccar versions up to and including 6.11.1

Description The Traccar GPS tracking system is susceptible to a Cross-Site WebSocket Hijacking (CSWSH) issue. The application does not properly validate the Origin header during the WebSocket handshake, which can allow a remote attacker to circumvent the Same Origin Policy (SOP). Successful exploitation enables an attacker to establish a WebSocket connection using a legitimate user's credentials (JSESSIONID). The vulnerable API endpoint is /api/socket.

Recommendations Versions prior to 6.11.1 are affected. At the moment, there is no information about a newer version that contains a fix for this vulnerability.