Description
Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0, there is an arbitrary prototype read vulnerability via `from` field bypass. This vulnerability allows a low-privileged authenticated user to bypass prototype boundary filtering to extract internal functions and properties from the global prototype object this violates data isolation and lets a user read more than they should. This issue has been patched in version 2.24.0.
Published: 2026-04-02
Score: 2.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Apply Patch
AI Analysis

Impact

SignalK signalk-server prior to version 2.24.0 includes an arbitrary prototype read vulnerability that can be triggered by a low‑privileged authenticated user when a `from` field value bypasses prototype boundary filtering. The attacker can read internal functions and properties from the global prototype object, violating data isolation and exposing data that should be protected. This information disclosure is classified as CWE‑200, whereas the underlying implementation flaw involves CWE‑125 and CWE‑20.

Affected Systems

The vulnerable product is SignalK signalk-server. All installations running any version earlier than 2.24.0 are affected. The CVE reference points to the release notes for v2.24.0, which contains the fix.

Risk and Exploitability

The CVSS score of 2.1 indicates a low‑severity issue, and no EPSS data is available. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires authentication to the server and a user who can specify a `from` field value, which is usually available to local users or remote users with authentication credentials. While the risk to confidentiality is limited to exposed internal properties, the presence of the flaw means that an attacker could read any data attached to prototype extensions that are not otherwise protected.

Generated by OpenCVE AI on April 2, 2026 at 22:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade SignalK signalk-server to version 2.24.0 or later.
  • Verify that prototype boundary filtering is restored after the upgrade.
  • Ensure that any custom configuration does not re‑enable the bypass.

Generated by OpenCVE AI on April 2, 2026 at 22:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-qh3j-mrg8-f234 Signal K Server: Arbitrary Prototype Read via `from` Field Bypass
History

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Signalk
Signalk signalk-server
Vendors & Products Signalk
Signalk signalk-server

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0, there is an arbitrary prototype read vulnerability via `from` field bypass. This vulnerability allows a low-privileged authenticated user to bypass prototype boundary filtering to extract internal functions and properties from the global prototype object this violates data isolation and lets a user read more than they should. This issue has been patched in version 2.24.0.
Title signalk-server: Arbitrary Prototype Read via `from` Field Bypass
Weaknesses CWE-125
CWE-20
CWE-200
References
Metrics cvssV4_0

{'score': 2.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Signalk Signalk-server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-02T18:46:36.895Z

Reserved: 2026-03-31T21:06:06.428Z

Link: CVE-2026-35038

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-02T17:16:27.163

Modified: 2026-04-03T16:10:23.730

Link: CVE-2026-35038

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:18:34Z

Weaknesses