CVE-2026-35038

Name of the Vulnerable Software and Affected Versions Signal K Server versions prior to 2.24.0

Description Signal K Server, a server application used in boats, contains a flaw where a low-privileged authenticated user can bypass prototype boundary filtering to extract internal functions and properties from the global prototype object. This bypass occurs through manipulation of the from field in JSON-patch operations, specifically targeting the '/signalk/v1/applicationData/... JSON-patch endpoint. The vulnerability allows reading more data than intended, violating data isolation. The issue is due to a security guard that only checks the 'path' property of incoming JSON-patch objects, ignoring the 'from' property. The copy operation, using the from property, can target '/ proto /someProperty', bypassing the security check. The vulnerable code resides in 'src/interfaces/applicationData.js' (Lines 48-57) within the hasPrototypePollutionPatch function, which only validates the path property and not the from property.

Recommendations Update Signal K Server to version 2.24.0 or later.