CVE-2025-68930
- Source
- https://cve.org/CVERecord?id=CVE-2025-68930
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-68930.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-68930
- Aliases
-
- GHSA-69x6-wcx2-vghp
- Published
- 2026-02-23T20:44:29.939Z
- Modified
- 2026-03-10T13:38:32.345194Z
- Severity
-
- 7.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N CVSS Calculator
- Summary
- Traccar Missing Origin Validation in WebSockets
- Details
-
Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain a Cross-Site WebSocket Hijacking (CSWSH) vulnerability in the
/api/socketendpoint. The application fails to validate theOriginheader during the WebSocket handshake. This allows a remote attacker to bypass the Same Origin Policy (SOP) and establish a full-duplex WebSocket connection using a legitimate user's credentials (JSESSIONID). As of time of publication, it is unclear whether a fix is available. - Database specific
{ "cwe_ids": [ "CWE-1385" ], "cna_assigner": "GitHub_M", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68930.json" }- References
Affected packages
Git / github.com/traccar/traccar
Affected versions
v2.*
v2.0
v2.1
v2.10
v2.11
v2.12
v2.2
v2.3
v2.4
v2.5
v2.6
v2.7
v2.8
v2.9
v3.*
v3.0
v3.1
v3.10
v3.11
v3.12
v3.13
v3.14
v3.15
v3.16
v3.17
v3.2
v3.4
v3.5
v3.6
v3.7
v3.8
v3.9
v4.*
v4.0
v4.1
v4.10
v4.11
v4.12
v4.13
v4.14
v4.15
v4.2
v4.3
v4.4
v4.5
v4.6
v4.7
v4.8
v4.9
v5.*
v5.0
v5.1
v5.10
v5.11
v5.12
v5.2
v5.3
v5.4
v5.5
v5.6
v5.7
v5.8
v5.9
v6.*
v6.0
v6.1
v6.10.0
v6.11.0
v6.11.1
v6.2
v6.3
v6.4
v6.5
v6.6
v6.7.0
v6.7.1
v6.7.2
v6.7.3
v6.8.0
v6.8.1
v6.9.0
v6.9.1