Description
Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0, there is an arbitrary prototype read vulnerability via `from` field bypass. This vulnerability allows a low-privileged authenticated user to bypass prototype boundary filtering to extract internal functions and properties from the global prototype object this violates data isolation and lets a user read more than they should. This issue has been patched in version 2.24.0.
Published: 2026-04-02
Score: 2.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Data Access
Action: Apply Patch
AI Analysis

Impact

An attacker who can authenticate with the Signal K Server as a low‑privileged user can bypass prototype boundary filtering via the "from" field. This allows the user to read internal functions and properties from the global prototype object, exposing more data than intended. The vulnerability is a classic arbitrary prototype read (CWE‑125) and violates data isolation.

Affected Systems

Signal K Server versions prior to 2.24.0 are affected. The vulnerability applies to all builds of the server for which the "from" field processing is implemented without proper prototype checks.

Risk and Exploitability

The CVSS score of 2.1 indicates low severity, and the EPSS score of less than 1% reflects a very low likelihood of exploitation in the wild. The vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog. Because the attack requires authentication, the potential impact is limited to users already granted access, but the data read could reveal sensitive internal state. Until the patch is applied, the threat remains low but present.

Generated by OpenCVE AI on April 6, 2026 at 17:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Signal K Server to version 2.24.0 or later to eliminate the prototype read vulnerability.

Generated by OpenCVE AI on April 6, 2026 at 17:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-qh3j-mrg8-f234 Signal K Server: Arbitrary Prototype Read via `from` Field Bypass
History

Mon, 06 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Signalk signal K Server
CPEs cpe:2.3:a:signalk:signal_k_server:*:*:*:*:*:*:*:*
Vendors & Products Signalk signal K Server
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Signalk
Signalk signalk-server
Vendors & Products Signalk
Signalk signalk-server

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0, there is an arbitrary prototype read vulnerability via `from` field bypass. This vulnerability allows a low-privileged authenticated user to bypass prototype boundary filtering to extract internal functions and properties from the global prototype object this violates data isolation and lets a user read more than they should. This issue has been patched in version 2.24.0.
Title signalk-server: Arbitrary Prototype Read via `from` Field Bypass
Weaknesses CWE-125
CWE-20
CWE-200
References
Metrics cvssV4_0

{'score': 2.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Signalk Signal K Server Signalk-server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-02T18:46:36.895Z

Reserved: 2026-03-31T21:06:06.428Z

Link: CVE-2026-35038

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-02T17:16:27.163

Modified: 2026-04-06T14:54:52.377

Link: CVE-2026-35038

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T07:56:03Z

Weaknesses