Description
The /signalk/v1/applicationData/… JSON-patch endpoint allows users to modify stored application data. To prevent Prototype Pollution, the developers implemented an isPrototypePollutionPath guard. However, this guard only checks the path property of incoming JSON-patch objects. It completely fails to check the from property.
Recommendation
Update the signalk-server package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.24.0
- Patched version(s): 2.24.0
References
- GHSA-qh3j-mrg8-f234
- CVE-2026-35038
- CWE-125
- CWE-20
- CWE-200
- CAPEC-310
- OWASP 2021-A1
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- Parse Server has a session field immutability bypass via falsy-value guard - CVE-2026-34574
- parse-server has cloud function validator bypass via prototype chain traversal - CVE-2026-34532
- Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket - CVE-2026-39363
- Signal K Server has an Unauthenticated Regular Expression Denial of Service (ReDoS) via WebSocket Subscription Paths - CVE-2026-39320
You might also like:
- Tags:
- npm
- signalk-server
Anything's wrong? Let us know Last updated on April 03, 2026