CVE-2025-68930
Published: 23 February 2026
Summary
CVE-2025-68930 is a high-severity Missing Origin Validation in WebSockets (CWE-1385) vulnerability in Traccar Traccar. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Spearphishing Link (T1566.002); ranked at the 29.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSWSH enables phishing-delivered browser session hijacking (via unvalidated Origin + JSESSIONID cookie) for WebSocket-based exfiltration and command actions.
NVD Description
Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain a Cross-Site WebSocket Hijacking (CSWSH) vulnerability in the `/api/socket` endpoint. The application fails to validate the `Origin` header during the WebSocket handshake. This allows a remote…
more
attacker to bypass the Same Origin Policy (SOP) and establish a full-duplex WebSocket connection using a legitimate user's credentials (JSESSIONID). As of time of publication, it is unclear whether a fix is available.
Deeper analysisAI
CVE-2025-68930 is a Cross-Site WebSocket Hijacking (CSWSH) vulnerability, classified under CWE-1385, affecting versions of the Traccar open-source GPS tracking system up to and including 6.11.1. The issue resides in the `/api/socket` endpoint, where the application does not validate the `Origin` header during the WebSocket handshake. This flaw enables attackers to circumvent the Same Origin Policy (SOP), allowing unauthorized establishment of a full-duplex WebSocket connection.
A remote attacker can exploit this vulnerability without privileges (PR:N) over the network (AV:N) with low complexity (AC:L), though it requires user interaction (UI:R). By tricking a legitimate user into visiting a malicious webpage—such as through a phishing link—the attacker can leverage the user's existing session credentials (JSESSIONID) to hijack the WebSocket connection. Successful exploitation grants high confidentiality impact (C:H) and low integrity impact (I:L), with no availability impact (A:N) and unchanged scope (S:U), as scored at CVSS 7.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N). This could enable real-time data exfiltration or injection of commands on behalf of the victim user.
The GitHub Security Advisory (GHSA-69x6-wcx2-vghp) at the project's repository details the vulnerability but notes that, as of publication on 2026-02-23, it is unclear whether a fix is available. Security practitioners should monitor the Traccar repository for patches and consider implementing custom Origin header validation or WebSocket origin checks as interim mitigations.
Details
- CWE(s)