Signal K Server vulnerable to JWT Token Theft via WebSocket Enumeration and Unauthenticated Polling

SignalK Server exposes two features that can be chained together to steal JWT authentication tokens without any prior authentication. The attack combines WebSocket-based request enumeration with unauthenticated polling of access request status. Unauthenticated WebSocket Request Enumeration: When ...

CVE-2025-68620 Signal K Server vulnerable to JWT Token Theft via WebSocket Enumeration and Unauthenticated Polling

Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19.0 expose two features that can be chained together to steal JWT authentication tokens without any prior authentication. The attack combines WebSocket-based request enumeration with unauthenticated...

CVE-2025-68620

CVE-2025-68620 concerns Signal K Server (v2.19.0 prior) where two flaws enable JWT token theft without authentication. First, Unauthenticated WebSocket Request Enumeration: connecting to the stream endpoint with serverevents=all exposes cached ACCESS_REQUEST events to readonly/unauthenticated use...

CVE-2025-68620 Signal K Server vulnerable to JWT Token Theft via WebSocket Enumeration and Unauthenticated Polling

Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19.0 expose two features that can be chained together to steal JWT authentication tokens without any prior authentication. The attack combines WebSocket-based request enumeration with unauthenticated...

CVE-2025-68620 Signal K Server vulnerable to JWT Token Theft via WebSocket Enumeration and Unauthenticated Polling

Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19.0 expose two features that can be chained together to steal JWT authentication tokens without any prior authentication. The attack combines WebSocket-based request enumeration with unauthenticated...