Denial Of Service (DoS)

signalk-server is vulnerable to Denial of Service DoS. The vulnerability is due to unbounded in-memory storage of access request objects at the /signalk/v1/access/requests endpoint, which allows an unauthenticated attacker to flood the endpoint and crash the server through memory exhaustion...

CVE-2025-68272

Signal K Server is a server application that runs on a central hub in a boat. A Denial of Service DoS vulnerability in versions prior to 2.19.0 allows an unauthenticated attacker to crash the SignalK Server by flooding the access request endpoint /signalk/v1/access/requests. This causes a...

CVE-2025-68620

Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19.0 expose two features that can be chained together to steal JWT authentication tokens without any prior authentication. The attack combines WebSocket-based request enumeration with unauthenticated...

Signal K Server vulnerable to JWT Token Theft via WebSocket Enumeration and Unauthenticated Polling

SignalK Server exposes two features that can be chained together to steal JWT authentication tokens without any prior authentication. The attack combines WebSocket-based request enumeration with unauthenticated polling of access request status. Unauthenticated WebSocket Request Enumeration: When ...

GHSA-FQ56-HVG6-WVM5 Signal K Server vulnerable to JWT Token Theft via WebSocket Enumeration and Unauthenticated Polling

SignalK Server exposes two features that can be chained together to steal JWT authentication tokens without any prior authentication. The attack combines WebSocket-based request enumeration with unauthenticated polling of access request status. Unauthenticated WebSocket Request Enumeration: When ...

User Impersonation

Overview signalk-server is an An implementation of a Signal K server for boats. Affected versions of this package are vulnerable to User Impersonation via the access request system. An attacker can obtain elevated privileges and impersonate trusted devices by submitting misleading descriptions,...

Signal K Server Vulnerable to Access Request Spoofing

The SignalK access request system has two related features that when combined by themselves and with the infromation disclosure vulnerability enable convincing social engineering attacks against administrators. When a device creates an access request, it specifies three fields: clientId,...

GHSA-VFRF-VCJ7-WVR8 Signal K Server Vulnerable to Access Request Spoofing

The SignalK access request system has two related features that when combined by themselves and with the infromation disclosure vulnerability enable convincing social engineering attacks against administrators. When a device creates an access request, it specifies three fields: clientId,...

EUVD-2025-206135

Signal K Server Vulnerable to Access Request Spoofing...

GHSA-7RQC-FF8M-7J23 Signal K Server Vulnerable to Denial of Service via Unrestricted Access Request Flooding

Summary A Denial of Service DoS vulnerability allows an unauthenticated attacker to crash the SignalK Server by flooding the access request endpoint /signalk/v1/access/requests. This causes a "JavaScript heap out of memory" error due to unbounded in-memory storage of request objects. Details The...

Allocation of Resources Without Limits or Throttling

Overview signalk-server is an An implementation of a Signal K server for boats. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the /signalk/v1/access/requests endpoint. An attacker can cause the server to exhaust memory resources and...

EUVD-2025-206139

Signal K Server Vulnerable to Denial of Service via Unrestricted Access Request Flooding...

CVE-2025-69203 Signal K Server Vulnerable to Access Request Spoofing

Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19.0 of the access request system have two related features that when combined by themselves and with an information disclosure vulnerability enable convincing social engineering attacks against...

CVE-2025-69203

CVE-2025-69203 concerns Signal K Server

CVE-2025-68620

CVE-2025-68620 concerns Signal K Server (v2.19.0 prior) where two flaws enable JWT token theft without authentication. First, Unauthenticated WebSocket Request Enumeration: connecting to the stream endpoint with serverevents=all exposes cached ACCESS_REQUEST events to readonly/unauthenticated use...

CVE-2025-68620 Signal K Server vulnerable to JWT Token Theft via WebSocket Enumeration and Unauthenticated Polling

Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19.0 expose two features that can be chained together to steal JWT authentication tokens without any prior authentication. The attack combines WebSocket-based request enumeration with unauthenticated...

CVE-2025-68272 Signal K Server Vulnerable to Denial of Service via Unrestricted Access Request Flooding

Signal K Server is a server application that runs on a central hub in a boat. A Denial of Service DoS vulnerability in versions prior to 2.19.0 allows an unauthenticated attacker to crash the SignalK Server by flooding the access request endpoint /signalk/v1/access/requests. This causes a...

CVE-2025-68272 Signal K Server Vulnerable to Denial of Service via Unrestricted Access Request Flooding

Signal K Server is a server application that runs on a central hub in a boat. A Denial of Service DoS vulnerability in versions prior to 2.19.0 allows an unauthenticated attacker to crash the SignalK Server by flooding the access request endpoint /signalk/v1/access/requests. This causes a...

CVE-2025-68272

Summary: Signal K Server up to version 2.19.0 is affected by a DoS via unrestricted access request flooding at the endpoint /signalk/v1/access/requests. The issue arises from unbounded in-memory storage of access requests, leading to a JavaScript heap out of memory and server crash when handling ...

PT-2026-1016

Name of the Vulnerable Software and Affected Versions Signal K Server versions prior to 2.19.0 Description Signal K Server is a server application used on boats. A Denial of Service DoS condition can occur in versions prior to 2.19.0. An unauthenticated attacker can crash the server by sending a...