CVE-2025-68930 – This CVE describes a Cross-Site WebSocket Hijac... (How to Fix)

Q: What is the severity of CVE-2025-68930?

CVE-2025-68930 has a CVSS score of 7.1 (HIGH). This CVE describes a Cross-Site WebSocket Hijacking vulnerability in Traccar GPS tracking system versions up to 6.11.1. Attackers can bypass Same Origin Policy to establish WebSocket connections using stolen user credentials, potentially intercepting real-time GPS data or sending malicious commands. All users running vulnerable Traccar versions are affected.

📋 TL;DR

This CVE describes a Cross-Site WebSocket Hijacking vulnerability in Traccar GPS tracking system versions up to 6.11.1. Attackers can bypass Same Origin Policy to establish WebSocket connections using stolen user credentials, potentially intercepting real-time GPS data or sending malicious commands. All users running vulnerable Traccar versions are affected.

💻 Affected Systems

Products:

Traccar GPS Tracking System

Versions: Versions up to and including 6.11.1

Operating Systems: All platforms running Traccar

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments using the default WebSocket endpoint configuration are vulnerable.

📦 What is this software?

Traccar by Traccar

View all CVEs affecting Traccar →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers intercept real-time GPS tracking data, manipulate device commands, track user locations, and potentially compromise the entire tracking infrastructure.

🟠

Likely Case

Attackers hijack WebSocket sessions to monitor GPS data streams, inject false location data, or disrupt tracking operations.

🟢

If Mitigated

With proper origin validation, only legitimate same-origin requests can establish WebSocket connections, preventing cross-site hijacking.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires tricking authenticated users into visiting malicious sites that initiate WebSocket connections.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://github.com/traccar/traccar/security/advisories/GHSA-69x6-wcx2-vghp

Restart Required: Yes

Instructions:

Monitor the Traccar GitHub repository for security updates. When available, update to the patched version and restart the Traccar service.

🔧 Temporary Workarounds

Origin Header Validation

all

Implement server-side validation of Origin headers during WebSocket handshake

Modify WebSocket endpoint code to validate Origin header matches expected domains

WebSocket CSRF Tokens

all

Add CSRF tokens to WebSocket connection requests

Implement token validation for WebSocket upgrade requests

🧯 If You Can't Patch

Implement a reverse proxy with strict Origin header validation
Restrict WebSocket endpoint access to trusted IP addresses only

🔍 How to Verify

Check if Vulnerable:

Check if Traccar version is 6.11.1 or earlier and WebSocket endpoint accepts connections without Origin validation

Check Version:

Check Traccar web interface or server logs for version information

Verify Fix Applied:

Test WebSocket connections with different Origin headers - only same-origin requests should succeed

📡 Detection & Monitoring

Log Indicators:

WebSocket connections from unexpected origins
Multiple failed WebSocket handshake attempts

Network Indicators:

WebSocket traffic from non-legitimate domains
Suspicious WebSocket upgrade requests

SIEM Query:

websocket AND (origin NOT IN allowed_domains) OR (websocket AND status_code=101 AND suspicious_user_agent)

📊 Metadata

CVE ID: CVE-2025-68930

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

CWE: CWE-1385

Published: February 23, 2026

Last Updated: February 26, 2026

🔗 References

https://github.com/traccar/traccar/security/advisories/GHSA-69x6-wcx2-vghp Vendor Advisory,Exploit,Mitigation

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-68930, you might also want to check these: