Description
The /signalk/v1/applicationData/… JSON-patch endpoint allows users to modify stored application data. To prevent Prototype Pollution, the developers implemented an isPrototypePollutionPath guard. However, this guard only checks the path property of incoming JSON-patch objects. It completely fails to check the from property.
Recommendation
Update the signalk-server package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.24.0
- Patched version(s): 2.24.0
References
- GHSA-qh3j-mrg8-f234
- CVE-2026-35038
- CWE-125
- CWE-20
- CWE-200
- CAPEC-310
- OWASP 2021-A1
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- Parse Server has a session field immutability bypass via falsy-value guard - CVE-2026-34574
- Parse Server has Denial of Service (DoS) and Cloud Function Dispatch Bypass via Prototype Chain Resolution - CVE-2026-30939
- parse-server has cloud function validator bypass via prototype chain traversal - CVE-2026-34532
- Signal K Server: OAuth Authorization Code Theft via Unvalidated Host Header in OIDC Flow - CVE-2026-34083
You might also like:
- Tags:
- npm
- signalk-server
Anything's wrong? Let us know Last updated on April 03, 2026


