Signal K Server has an Unauthenticated Regular Expression Denial of Service (ReDoS) via WebSocket Subscription Paths
- Severity:
- High
Description
The SignalK server is vulnerable to an unauthenticated Regular Expression Denial of Service (ReDoS) attack within its WebSocket subscription handling logic. By injecting unescaped regex metacharacters into the context parameter of a stream subscription, an attacker can force the server’s Node.
Recommendation
Update the signalk-server package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.25.0
- Patched version(s): 2.25.0
References
Related Issues
- Parse Server has Regular Expression Denial of Service (ReDoS) via `$regex` query in LiveQuery - CVE-2026-30925
- tarteaucitron.js has Regular Expression Denial of Service (ReDoS) vulnerability - CVE-2026-22809
- markdown-it is has a Regular Expression Denial of Service (ReDoS) - CVE-2026-2327
- Signal K Server vulnerable to JWT Token Theft via WebSocket Enumeration and Unauthenticated Polling - CVE-2025-68620
You might also like:
- Tags:
- npm
- signalk-server
Anything's wrong? Let us know Last updated on April 21, 2026