CVE-2026-35038: Arbitrary Prototype Read in Signal K Server via JSON-Patch Bypass

Signal K Server acts as a central data hub for marine applications, exposing various API endpoints for data management. The server provides a specific endpoint located at /signalk/v1/applicationData/... that processes JSON-patch operations as defined in RFC 6902. This functionality allows authenticated clients to dynamically modify stored application state through standardized operations.

Prior to version 2.24.0, the JSON-patch implementation contained an asymmetric input validation flaw. The development team implemented a security control, isPrototypePollution, to prevent malicious modification of the global JavaScript prototype object. This control was designed to block payload paths containing restricted keywords such as __proto__, constructor, and prototype.

The vulnerability exists because this validation routine was not applied comprehensively across all JSON-patch operation fields. The destination path field underwent strict validation, successfully mitigating standard prototype pollution attacks. The source from field, utilized specifically in copy and move operations, bypassed this validation routine entirely.

This oversight permits an authenticated user to specify restricted prototype paths as the source of a copy operation. The application then extracts the data from the restricted prototype location and writes it to a user-readable destination path, resulting in an arbitrary prototype read vulnerability.

The root cause of CVE-2026-35038 is a failure to comprehensively validate all user-controlled path parameters within the JSON-patch processing pipeline. RFC 6902 defines several operations, including add, remove, replace, copy, and move. Operations that transfer data from one location to another, namely copy and move, require both a source location (from) and a destination location (path).

The Signal K Server implementation centralized its prototype pollution defenses around the destination object to prevent attackers from overwriting prototype properties. When processing an operation, the code invoked the isPrototypePollution check exclusively on the path attribute. The code responsible for resolving the source object referenced by the from attribute lacked an equivalent check.

When a client submits a copy operation, the server evaluates the from string to retrieve the target value from memory. Because no boundary checks restrict this resolution process, the server engine traverses the JavaScript prototype chain if instructed to do so via standard prototype identifiers. The server then treats the retrieved internal object or function as standard application data.

The flaw highlights a common anti-pattern in prototype pollution defense where developers focus solely on write operations while neglecting read operations. While arbitrary reads do not corrupt application state, they violate data boundary isolation and expose internal memory structures to unauthorized actors.

The vulnerable code path resides in the JSON-patch processing logic where individual operations are parsed and executed. The implementation relied on a boundary checking function that examined string inputs for banned substrings associated with prototype traversal.

In the vulnerable implementation, the application iterated through the provided JSON-patch array. For each operation, the code verified that op.path did not trigger the isPrototypePollution(op.path) condition. However, operations utilizing the from attribute immediately processed the source path using standard object traversal techniques without passing op.from through the same validation function.

The remediation introduced in version 2.24.0 corrects this asymmetry by applying the isPrototypePollution check to both spatial parameters. The patch logic ensures that any JSON-patch operation containing a from field undergoes identical scrutiny to the path field.

// Vulnerable Logic (Conceptual)
if (isPrototypePollution(operation.path)) {
  throw new Error("Invalid path");
}
// The operation.from field is processed without validation
executePatch(operation.from, operation.path);
 
// Patched Logic (Conceptual)
if (isPrototypePollution(operation.path)) {
  throw new Error("Invalid path");
}
if (operation.from && isPrototypePollution(operation.from)) {
  throw new Error("Invalid from path");
}
executePatch(operation.from, operation.path);

This structural change guarantees that the JSON pointer resolution engine will reject requests attempting to traverse the prototype chain, regardless of whether the traversal occurs during a read phase or a write phase.

Exploiting this vulnerability requires the attacker to possess valid credentials for the Signal K Server with sufficient privileges to interact with the /signalk/v1/applicationData/... endpoint. The attacker must also identify a valid application data path where they have read access to retrieve the extracted information.

The attack is initiated by constructing a specialized JSON-patch payload using the copy operation. The attacker sets the from field to target the global prototype, using a path such as /constructor/prototype/internalSecretKey. The path field is configured to point to an accessible location within the user's application data namespace, such as /userSettings/myPublicData/leakedValue.

[
  {
    "op": "copy",
    "from": "/constructor/prototype/someInternalSecret",
    "path": "/userSettings/myPublicData/leakedValue"
  }
]

The attacker submits this payload via an HTTP POST or PATCH request to the application data endpoint. The server processes the operation, successfully resolving the restricted source path because the validation filter is bypassed. The server copies the requested internal property and persists it at the user-readable destination.

Following the successful execution of the JSON-patch operation, the attacker issues an HTTP GET request to the destination path. The server returns the contents of the copied prototype property within the JSON response payload, completing the data exfiltration cycle.

The vulnerability allows authenticated, low-privileged users to extract internal functions and properties stored on the global JavaScript prototype object. This capability results in unauthorized information disclosure and violates the intended data isolation boundaries of the server environment.

The immediate impact is restricted to data confidentiality. Attackers can map internal application state, extract hidden configuration variables, or retrieve sensitive data structures that developers assumed were inaccessible from the user space. The vulnerability does not permit the modification of prototype properties, preventing direct execution of traditional prototype pollution attacks that lead to remote code execution or denial of service.

The CVSS v4.0 score reflects these constraints with a base score of 2.1 (Low severity). The vector CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P indicates that the attack is executable over the network with low complexity, requires low privileges, involves no user interaction, and results in a low impact to confidentiality with no impact to integrity or availability.

While the direct impact is limited, the extracted information provides an attacker with deep visibility into the server's execution environment. This internal knowledge reduces the complexity of discovering and exploiting secondary vulnerabilities, making it a valuable reconnaissance primitive during a broader intrusion campaign.

The primary remediation for CVE-2026-35038 is to upgrade Signal K Server to version 2.24.0 or later. This release contains the complete patch that extends input validation to all relevant fields within the JSON-patch processing module. Administrators should schedule a maintenance window to apply this update to all deployed hub systems.

If immediate patching is not feasible due to operational constraints, administrators can implement mitigating controls at the network boundary. A Web Application Firewall (WAF) or reverse proxy can be configured to inspect HTTP request bodies destined for the /signalk/v1/applicationData/... endpoint. The WAF rule should drop any request containing strings like constructor, prototype, or __proto__ within the JSON payload.

Development teams managing similar node-based applications should review their JSON-patch implementations. Security testing must verify that prototype pollution protections apply uniformly to all object traversal mechanisms, including source pointers in read operations. Relying exclusively on destination path validation is insufficient to guarantee data isolation.