VulnerableCode Package Details - pkg:npm/signalk-server@2.24.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-69vq-fq3v-1yhf Aliases: CVE-2026-41893 GHSA-vmfm-ch9h-5c7g	Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.25.0, the HTTP login endpoints (POST /login and POST /signalk/v1/auth/login) are protected by express-rate-limit (default: 100 attempts per 10-minute window, configurable via HTTP_RATE_LIMITS). The WebSocket login path — sending {login: {username, password}} messages over an established WebSocket connection — calls app.securityStrategy.login() directly without any rate limiting. An attacker can bypass HTTP rate limiting entirely by opening a WebSocket connection and attempting unlimited password guesses at the speed bcrypt allows (~20 attempts/sec with 10 salt rounds). This issue has been patched in version 2.25.0.	2.25.0 Affected by 0 other vulnerabilities.
VCID-dbpe-ejtp-4kay Aliases: CVE-2026-39320 GHSA-7gcj-phff-2884	Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.25.0 are vulnerable to an unauthenticated Regular Expression Denial of Service (ReDoS) attack within the WebSocket subscription handling logic. By injecting unescaped regex metacharacters into the `context` parameter of a stream subscription, an attacker can force the server's Node.js event loop into a catastrophic backtracking loop when evaluating long string identifiers (like the server's self UUID). This results in a total Denial of Service (DoS) where the server CPU spikes to 100% and becomes completely unresponsive to further API or socket requests. Version 2.25.0 contains a fix.	2.25.0 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-69vq-fq3v-1yhf
Aliases:
CVE-2026-41893
GHSA-vmfm-ch9h-5c7g

Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.25.0, the HTTP login endpoints (POST /login and POST /signalk/v1/auth/login) are protected by express-rate-limit (default: 100 attempts per 10-minute window, configurable via HTTP_RATE_LIMITS). The WebSocket login path — sending {login: {username, password}} messages over an established WebSocket connection — calls app.securityStrategy.login() directly without any rate limiting. An attacker can bypass HTTP rate limiting entirely by opening a WebSocket connection and attempting unlimited password guesses at the speed bcrypt allows (~20 attempts/sec with 10 salt rounds). This issue has been patched in version 2.25.0.

2.25.0
Affected by 0 other vulnerabilities.

VCID-dbpe-ejtp-4kay
Aliases:
CVE-2026-39320
GHSA-7gcj-phff-2884

Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.25.0 are vulnerable to an unauthenticated Regular Expression Denial of Service (ReDoS) attack within the WebSocket subscription handling logic. By injecting unescaped regex metacharacters into the `context` parameter of a stream subscription, an attacker can force the server's Node.js event loop into a catastrophic backtracking loop when evaluating long string identifiers (like the server's self UUID). This results in a total Denial of Service (DoS) where the server CPU spikes to 100% and becomes completely unresponsive to further API or socket requests. Version 2.25.0 contains a fix.

2.25.0
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-jb5w-972p-mkef	Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0, SignalK Server contains a code-level vulnerability in its OIDC login and logout handlers where the unvalidated HTTP Host header is used to construct the OAuth2 redirect_uri. Because the redirectUri configuration is silently unset by default, an attacker can spoof the Host header to steal OAuth authorization codes and hijack user sessions in realistic deployments as The OIDC provider will then send the authorization code to whatever domain was injected. This issue has been patched in version 2.24.0.	CVE-2026-34083 GHSA-cxj8-ggf2-p57c
VCID-xraa-e8gf-afdq		CVE-2026-35038 GHSA-qh3j-mrg8-f234

Vulnerability

Summary

Aliases

VCID-jb5w-972p-mkef

Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0, SignalK Server contains a code-level vulnerability in its OIDC login and logout handlers where the unvalidated HTTP Host header is used to construct the OAuth2 redirect_uri. Because the redirectUri configuration is silently unset by default, an attacker can spoof the Host header to steal OAuth authorization codes and hijack user sessions in realistic deployments as The OIDC provider will then send the authorization code to whatever domain was injected. This issue has been patched in version 2.24.0.

CVE-2026-34083
GHSA-cxj8-ggf2-p57c

VCID-xraa-e8gf-afdq

CVE-2026-35038
GHSA-qh3j-mrg8-f234

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-13T06:29:48.718226+00:00	GHSA Importer	Affected by	VCID-69vq-fq3v-1yhf	https://github.com/advisories/GHSA-vmfm-ch9h-5c7g	38.6.0
2026-06-13T06:28:42.852278+00:00	GHSA Importer	Fixing	VCID-jb5w-972p-mkef	https://github.com/advisories/GHSA-cxj8-ggf2-p57c	38.6.0
2026-06-13T06:28:42.067387+00:00	GHSA Importer	Fixing	VCID-xraa-e8gf-afdq	https://github.com/advisories/GHSA-qh3j-mrg8-f234	38.6.0
2026-06-12T22:19:10.634397+00:00	GitLab Importer	Affected by	VCID-69vq-fq3v-1yhf	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/signalk-server/CVE-2026-41893.yml	38.6.0
2026-06-12T22:11:40.149481+00:00	GitLab Importer	Affected by	VCID-dbpe-ejtp-4kay	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/signalk-server/CVE-2026-39320.yml	38.6.0
2026-06-12T21:52:00.998942+00:00	GitLab Importer	Fixing	VCID-xraa-e8gf-afdq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/signalk-server/CVE-2026-35038.yml	38.6.0
2026-06-12T21:51:59.816516+00:00	GitLab Importer	Fixing	VCID-jb5w-972p-mkef	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/signalk-server/CVE-2026-34083.yml	38.6.0
2026-06-12T07:46:35.913624+00:00	GithubOSV Importer	Fixing	VCID-xraa-e8gf-afdq	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-qh3j-mrg8-f234/GHSA-qh3j-mrg8-f234.json	38.6.0
2026-06-12T07:46:09.125725+00:00	GithubOSV Importer	Fixing	VCID-jb5w-972p-mkef	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-cxj8-ggf2-p57c/GHSA-cxj8-ggf2-p57c.json	38.6.0