Signal K Server has Unauthenticated State Pollution leading to Remote Code Execution (RCE)

Severity:: High

Description

An unauthenticated attacker can pollute the internal state (restoreFilePath) of the server via the /skServer/validateBackup endpoint. This allows the attacker to hijack the administrator’s “Restore” functionality to overwrite critical server configuration files (e.g., security.json, package.json), leading to account takeover and Remote Code Execution (RCE).

Recommendation

Update the signalk-server package to the latest compatible version. Followings are version details:

Affected version(s): < 2.19.0
Patched version(s): 2.19.0

References

GHSA-w3x5-7c4c-66p9
CVE-2025-66398
CWE-78
CWE-913
CAPEC-310
OWASP 2021-A1
OWASP 2021-A3
OWASP 2021-A6

Related Issues

Signal K Server Vulnerable to Unauthenticated Information Disclosure via Exposed Endpoints - CVE-2025-68273
Signal K Server Vulnerable to Access Request Spoofing - CVE-2025-69203
Signal K Server Vulnerable to Remote Code Execution via Malicious npm Package - CVE-2025-68619
Signal K Server Vulnerable to Denial of Service via Unrestricted Access Request Flooding - CVE-2025-68272

Tags:: npm; signalk-server

Anything's wrong? Let us know Last updated on January 02, 2026