58 matches found
Unauthenticated Information Disclosure
signalk-server is vulnerable to unauthenticated information disclosure. The vulnerability is due to missing authentication checks on sensitive endpoints, which allows an attacker to retrieve internal system details such as the full SignalK data schema, connected serial devices, and installed...
CVE-2025-68620
Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19.0 expose two features that can be chained together to steal JWT authentication tokens without any prior authentication. The attack combines WebSocket-based request enumeration with unauthenticated...
Authentication Bypass Using an Alternate Path or Channel
Overview signalk-server is an An implementation of a Signal K server for boats. Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via the startServerEvents and queryRequest functions. When allowreadonly is enabled, an unauthenticated...
current-impact (=1.0.0), nmea-streamer (>=1.0.1 <=2.2.0) potentially affected by CVE-2025-68620 via signalk-server (=1.46.3)
signalk-server NPM version =1.46.3 is affected by a known vulnerability. The following packages have a transitive dependency on signalk-server and may be impacted: - current-impact =1.0.0 - nmea-streamer =1.0.1, =2.2.0 Source cves: CVE-2025-68620 Source advisory: OSV:GHSA-FQ56-HVG6-WVM5...
EUVD-2025-206135
Signal K Server Vulnerable to Access Request Spoofing...
current-impact (=1.0.0), nmea-streamer (>=1.0.1 <=2.2.0) potentially affected by CVE-2025-69203 via signalk-server (=1.46.3)
signalk-server NPM version =1.46.3 is affected by a known vulnerability. The following packages have a transitive dependency on signalk-server and may be impacted: - current-impact =1.0.0 - nmea-streamer =1.0.1, =2.2.0 Source cves: CVE-2025-69203 Source advisory: OSV:GHSA-VFRF-VCJ7-WVR8...
Arbitrary Code Injection
Overview signalk-server is an An implementation of a Signal K server for boats. Affected versions of this package are vulnerable to Arbitrary Code Injection via the appstore.js REST API endpoint, which allows the installation of npm packages using unsanitized version specifiers. An administrator...
current-impact (=1.0.0), nmea-streamer (>=1.0.1 <=2.2.0) potentially affected by CVE-2025-68619 via signalk-server (=1.46.3)
signalk-server NPM version =1.46.3 is affected by a known vulnerability. The following packages have a transitive dependency on signalk-server and may be impacted: - current-impact =1.0.0 - nmea-streamer =1.0.1, =2.2.0 Source cves: CVE-2025-68619 Source advisory: OSV:GHSA-93JC-VQQC-VVVH...
Information Exposure
Overview signalk-server is an An implementation of a Signal K server for boats. Affected versions of this package are vulnerable to Information Exposure via the exposed endpoints /skServer/serialports, /skServer/availablePaths, and /skServer/hasAnalyzer that are not protected by authentication...
current-impact (=1.0.0), nmea-streamer (>=1.0.1 <=2.2.0) potentially affected by CVE-2025-68273 via signalk-server (=1.46.3)
signalk-server NPM version =1.46.3 is affected by a known vulnerability. The following packages have a transitive dependency on signalk-server and may be impacted: - current-impact =1.0.0 - nmea-streamer =1.0.1, =2.2.0 Source cves: CVE-2025-68273 Source advisory: OSV:GHSA-FPF5-W967-RR2M...
Allocation of Resources Without Limits or Throttling
Overview signalk-server is an An implementation of a Signal K server for boats. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the /signalk/v1/access/requests endpoint. An attacker can cause the server to exhaust memory resources and...
current-impact (=1.0.0), nmea-streamer (>=1.0.1 <=2.2.0) potentially affected by CVE-2025-68272 via signalk-server (=1.46.3)
signalk-server NPM version =1.46.3 is affected by a known vulnerability. The following packages have a transitive dependency on signalk-server and may be impacted: - current-impact =1.0.0 - nmea-streamer =1.0.1, =2.2.0 Source cves: CVE-2025-68272 Source advisory: OSV:GHSA-7RQC-FF8M-7J23...
GHSA-7RQC-FF8M-7J23 Signal K Server Vulnerable to Denial of Service via Unrestricted Access Request Flooding
Summary A Denial of Service DoS vulnerability allows an unauthenticated attacker to crash the SignalK Server by flooding the access request endpoint /signalk/v1/access/requests. This causes a "JavaScript heap out of memory" error due to unbounded in-memory storage of request objects. Details The...
Improper Control of Dynamically-Managed Code Resources
Overview signalk-server is an An implementation of a Signal K server for boats. Affected versions of this package are vulnerable to Improper Control of Dynamically-Managed Code Resources via the restoreFilePath global variable, which can be manipulated through the /skServer/validateBackup endpoin...
current-impact (=1.0.0), nmea-streamer (>=1.0.1 <=2.2.0) potentially affected by CVE-2025-66398 via signalk-server (=1.46.3)
signalk-server NPM version =1.46.3 is affected by a known vulnerability. The following packages have a transitive dependency on signalk-server and may be impacted: - current-impact =1.0.0 - nmea-streamer =1.0.1, =2.2.0 Source cves: CVE-2025-66398 Source advisory: OSV:GHSA-W3X5-7C4C-66P9...
CVE-2025-68619
Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19.0 of the appstore interface allow administrators to install npm packages through a REST API endpoint. While the endpoint validates that the package name exists in the npm registry as a known plugi...
CVE-2025-68272
Signal K Server is a server application that runs on a central hub in a boat. A Denial of Service DoS vulnerability in versions prior to 2.19.0 allows an unauthenticated attacker to crash the SignalK Server by flooding the access request endpoint /signalk/v1/access/requests. This causes a...
CVE-2025-68272 Signal K Server Vulnerable to Denial of Service via Unrestricted Access Request Flooding
Signal K Server is a server application that runs on a central hub in a boat. A Denial of Service DoS vulnerability in versions prior to 2.19.0 allows an unauthenticated attacker to crash the SignalK Server by flooding the access request endpoint /signalk/v1/access/requests. This causes a...