CVE-2025-68930

HIGH

Traccar <= 6.11.1 - Cross-Site WebSocket Hijacking via Origin Header Misvalidation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2025-68930. PoCs published by hazar, kaleth4.

AI-analyzed exploit summary This exploit demonstrates a Cross-Site WebSocket Hijacking (CSWSH) vulnerability in Traccar GPS Tracking System by bypassing the Same Origin Policy (SOP) due to lack of 'Origin' header validation. It establishes a WebSocket connection to leak real-time sensitive data using a victim's valid JSESSIONID.

Description

Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain a Cross-Site WebSocket Hijacking (CSWSH) vulnerability in the `/api/socket` endpoint. The application fails to validate the `Origin` header during the WebSocket handshake. This allows a remote attacker to bypass the Same Origin Policy (SOP) and establish a full-duplex WebSocket connection using a legitimate user's credentials (JSESSIONID). As of time of publication, it is unclear whether a fix is available.

Exploits (2)

exploitdb WORKING POC
by hazar · pythonwebappsmultiple
https://www.exploit-db.com/exploits/52545

This exploit demonstrates a Cross-Site WebSocket Hijacking (CSWSH) vulnerability in Traccar GPS Tracking System by bypassing the Same Origin Policy (SOP) due to lack of 'Origin' header validation. It establishes a WebSocket connection to leak real-time sensitive data using a victim's valid JSESSIONID.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Traccar GPS Tracking System <= 6.11.1
Auth required
Prerequisites: Valid JSESSIONID cookie · Target IP and port
devstral-2 · analyzed May 05, 2026 Full analysis →
nomisec WRITEUP
by kaleth4 · poc
https://github.com/kaleth4/CVE-2025-68930

The repository provides a detailed technical analysis of CVE-2025-68930, a Cross-Site WebSocket Hijacking (CSWSH) vulnerability in Traccar. It explains the root cause (lack of Origin header validation), exploitation mechanism, and includes a conceptual exploit example.

Classification
Writeup 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Traccar (versions up to 6.11.1)
Auth required
Prerequisites: Valid JSESSIONID cookie from an authenticated user · User interaction to visit a malicious site
devstral-2 · analyzed May 05, 2026 Full analysis →

References (1)

Core 1
Core References

Scores

CVSS v3 7.1
EPSS 0.0054
EPSS Percentile 41.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-1385
Status published
Products (1)
traccar/traccar < 6.11.1
Published Feb 23, 2026
Tracked Since Feb 23, 2026