CVE-2025-68620: Unauthenticated Attackers Can Steal JWT Tokens and Fully Bypass Authentication in Signal K Server

Aegiron 8 mins0

CVE ID: CVE-2025-68620
Affected Product: Signal K Server
Affected Versions: All versions prior to 2.19.0
Severity: Critical
CVSS v3.1 Score: 9.1
Attack Vector: Network
Privileges Required: None
User Interaction: None
Impact: Full authentication bypass, credential theft, device impersonation

Summary

CVE-2025-68620 is a critical authentication bypass vulnerability in Signal K Server that allows an unauthenticated attacker to obtain valid JWT authentication tokens. The flaw exists due to the combination of two insecure features that were individually accessible without authentication and could be chained together to fully compromise the access control model.

By abusing unauthenticated WebSocket event exposure and unauthenticated REST access to access request status, an attacker can steal JWT tokens issued to legitimate devices or applications. Possession of these tokens grants the attacker the same level of access as an approved and trusted client.

Root Cause Analysis

The vulnerability arises from improper authorization enforcement on both WebSocket and REST interfaces when the server is configured with allow_readonly=true, which is common in many deployments.

The issue is not a cryptographic weakness in JWT itself, but a logic flaw in how authentication workflows were exposed to readonly and unauthenticated users.

Technical Details

1. Unauthenticated WebSocket Request Enumeration

Signal K Server exposes a WebSocket stream endpoint intended to broadcast server-side events. When a client connects with the query parameter:

serverevents=all

the server responds by sending all cached server events stored in app.lastServerEvents.

The startServerEvents function iterates through these cached events and transmits them to the connected client without verifying the client’s authorization level.

Because:

  • WebSocket connections are allowed for readonly users
  • Unauthenticated users are treated as readonly users when allow_readonly is enabled

an unauthenticated attacker can receive sensitive ACCESS_REQUEST events. These events disclose:

  • Access request IDs
  • Client identifiers and descriptions
  • Requested permission scopes
  • Source IP addresses

This effectively allows attackers to enumerate all pending access requests in real time.

2. Unauthenticated Access Request Polling and Token Exposure

Signal K Server also exposes a REST endpoint for querying access request status:

/signalk/v1/access/requests/:id

This endpoint:

  • Uses readonly authentication
  • Does not enforce user authentication
  • Returns the complete access request object

When an administrator approves an access request, the response includes the issued JWT token in plaintext. The queryRequest function returns the full request state, including the token field, without redaction.

Any attacker who knows a valid request ID can poll this endpoint repeatedly until approval occurs and immediately retrieve the JWT token.

Exploitation Paths

An attacker can exploit CVE-2025-68620 in two primary ways.

Path 1: Attacker-Created Access Request

  1. The attacker submits an access request, optionally spoofing IP or device identity to appear legitimate.
  2. The attacker polls the corresponding request ID.
  3. An administrator approves the request.
  4. The attacker receives a valid JWT token and gains authenticated access.

Path 2: Passive Token Theft from Legitimate Devices

  1. The attacker connects to the WebSocket stream without authentication.
  2. The attacker monitors ACCESS_REQUEST events from real devices.
  3. Request IDs are collected silently.
  4. The attacker polls each request ID using the REST endpoint.
  5. Once approved by an administrator, the attacker steals the JWT token intended for the legitimate device.

The second path is particularly dangerous because it allows silent hijacking of trusted device credentials without generating suspicious access requests.

Impact

Successful exploitation enables:

  • Complete authentication bypass
  • Theft of valid JWT authentication tokens
  • Persistent unauthorized access
  • Impersonation of legitimate marine devices and applications
  • Potential manipulation, disruption, or exfiltration of navigation and sensor data

Because no authentication or user interaction is required, exploitation is trivial once network access is available.

MITRE ATT&CK Mapping

  • Initial Access: Exploit Public-Facing Application
  • Credential Access: Unsecured Credentials
  • Persistence: Valid Accounts (JWT Tokens)
  • Defense Evasion: Abuse of Trusted Relationships
  • Collection: Data from Information Repositories

Detection and Monitoring

Recommended Log Sources

  • Signal K Server application logs
  • WebSocket connection logs
  • HTTP access logs for REST endpoints
  • Reverse proxy or firewall logs

Indicators of Compromise

  • Unauthenticated WebSocket connections using serverevents=all
  • High-frequency or repeated requests to /signalk/v1/access/requests/:id
  • Polling of access request endpoints before or without corresponding admin actions
  • Requests originating from unknown or unexpected IP addresses

Detection Concepts

  • Alert on unauthenticated access to access-request endpoints
  • Monitor for abnormal polling patterns
  • Correlate WebSocket connections with REST polling activity from the same source

Example Malicious Requests

WebSocket enumeration:

ws://<host>:<port>/signalk/v1/stream?serverevents=all

Access request polling:

GET /signalk/v1/access/requests/<request_id>

Remediation

Official Patch

The vulnerability is fully fixed in Signal K Server version 2.19.0.

Official patch and release details:
https://github.com/SignalK/signalk-server/releases/tag/v2.19.0

Additional Mitigation Recommendations

  • Upgrade immediately to version 2.19.0 or later
  • Rotate all existing JWT tokens after patching
  • Disable allow_readonly unless explicitly required
  • Restrict access to WebSocket and access-request endpoints using network controls
  • Review historical access request approvals for suspicious activity

Final Takeaway

CVE-2025-68620 highlights how misconfigured or overly permissive read-only access can undermine an entire authentication model. While no authentication is required to exploit this issue, the impact is severe and persistent. Systems running vulnerable versions should be treated as potentially compromised until patched and all tokens are rotated.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.