Signal K Server has Unauthenticated State Pollution leading to Remote Code Execution (RCE)

Severity:: High

Description

An unauthenticated attacker can pollute the internal state (restoreFilePath) of the server via the /skServer/validateBackup endpoint. This allows the attacker to hijack the administrator’s “Restore” functionality to overwrite critical server configuration files (e.g., security.json, package.json), leading to account takeover and Remote Code Execution (RCE).

Recommendation

Update the signalk-server package to the latest compatible version. Followings are version details:

Affected version(s): < 2.19.0
Patched version(s): 2.19.0

References

GHSA-w3x5-7c4c-66p9
CVE-2025-66398
CWE-78
CWE-913
CAPEC-310
OWASP 2021-A1
OWASP 2021-A3
OWASP 2021-A6

Related Issues

Signal K Server Vulnerable to Remote Code Execution via Malicious npm Package - CVE-2025-68619
Signal K Server vulnerable to JWT Token Theft via WebSocket Enumeration and Unauthenticated Polling - CVE-2025-68620
Parse Server vulnerable to remote code execution via MongoDB BSON parser through prototype pollution - CVE-2023-36475
@saltcorn/server Remote Code Execution (RCE) / SQL injection via prototype pollution by manipulating `lang` and `defst - Vulnerability

Tags:: npm; signalk-server

Anything's wrong? Let us know Last updated on January 02, 2026