Platform
nodejs
Component
signalk-server
Fixed in
2.24.1
2.24.0
CVE-2026-35038 describes a Prototype Pollution vulnerability affecting signalK-server. This flaw allows attackers to modify object prototypes by exploiting a weakness in the application's input validation. The vulnerability impacts versions of signalK-server released before 2.24.0. A fix is available in version 2.24.0.
The Prototype Pollution vulnerability in signalK-server allows an attacker to inject arbitrary properties into JavaScript objects. This can lead to unexpected behavior, denial of service, or even remote code execution if the polluted properties are used in sensitive operations. The 'from' property within JSON-patch requests is not properly validated, enabling attackers to target the proto property and modify the prototype chain. This bypasses the intended security check and grants the attacker control over object properties. The potential impact extends to any functionality relying on the modified prototypes, potentially affecting data integrity and system stability.
This vulnerability was publicly disclosed on 2026-04-03. There is no indication of active exploitation or inclusion in the CISA KEV catalog at this time. Public proof-of-concept (PoC) code is not currently available, but the vulnerability's nature suggests it could be relatively easy to exploit once a PoC is developed. The CVSS score of 2.5 (LOW) reflects the limited attack complexity and scope.
Exploit Status
EPSS
0.06% (18% percentile)
CISA SSVC
The primary mitigation for CVE-2026-35038 is to upgrade signalK-server to version 2.24.0 or later. If upgrading is not immediately feasible, consider implementing input validation on the /signalk/v1/applicationData/... endpoint to strictly limit the 'from' property. A Web Application Firewall (WAF) could be configured to block requests containing suspicious patterns in the 'from' property, such as references to proto. Carefully review and sanitize all user-supplied data before processing it to prevent prototype pollution attacks. After upgrading, confirm the fix by attempting a JSON-patch request with a malicious 'from' property targeting the proto and verifying that it is rejected.
Update Signal K Server to version 2.24.0 or higher. This version fixes the Arbitrary Prototype Read vulnerability via the `from` field. The update will prevent low-privileged authenticated users from extracting internal object prototype functions and properties.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-35038 is a Prototype Pollution vulnerability in signalK-server versions before 2.24.0, allowing attackers to modify object prototypes via manipulation of the 'from' property in JSON-patch requests.
You are affected if you are running signalK-server versions prior to 2.24.0 and are exposed to untrusted input.
Upgrade signalK-server to version 2.24.0 or later. As a temporary workaround, implement stricter input validation on the /signalk/v1/applicationData/... endpoint.
There is currently no evidence of active exploitation, but the vulnerability's nature suggests it could be exploited.
Refer to the signalK-server project's official website and release notes for the latest advisory regarding CVE-2026-35038.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.