Cross‑Site WebSocket Hijacking (CVE‑2025‑68930) Exposes Real‑Time GPS Data in Traccar Tracking Platform
What Happened — A vulnerability (CVE‑2025‑68930) in Traccar GPS Tracking System ≤ 6.11.1 fails to validate the Origin header on its WebSocket endpoint (/api/socket). An attacker who can obtain a valid JSESSIONID cookie can set a malicious Origin header, bypass the Same‑Origin Policy, hijack the WebSocket session, and stream live GPS coordinates and device status.
Why It Matters for TPRM —
- Real‑time location data of assets, vehicles, or personnel can be disclosed to unauthorised parties, creating privacy, safety, and regulatory risks.
- The flaw is exploitable with publicly available scripts, turning a simple credential leak into a full data‑exfiltration vector.
- Many third‑party logistics, fleet‑management, and IoT vendors embed Traccar as a core component, expanding the attack surface across supply chains.
Who Is Affected — Transportation & logistics firms, fleet‑management SaaS providers, IoT device manufacturers, and any organisation that deploys Traccar (on‑premise or cloud) to track assets.
Recommended Actions —
- Verify whether any third‑party services in your supply chain use Traccar ≤ 6.11.1.
- If present, upgrade immediately to version 6.12.0 or later where the Origin check is enforced.
- Rotate all active
JSESSIONIDcookies and enforce short session lifetimes. - Apply Web Application Firewall (WAF) rules to block unexpected
Originheaders on/api/socket. - Conduct a focused audit of WebSocket traffic for anomalous connections.
Technical Notes — The exploit leverages a misconfiguration (missing Origin validation) that enables a Cross‑Site WebSocket Hijacking (CSWSH) attack. No CVE‑published patch existed at the time of disclosure; the vendor released a fix in v6.12.0. Data types exposed include GPS latitude/longitude, speed, device status, and timestamps. Source: Exploit‑DB 52545