Signal K Server's WebSocket Login Endpoint Lacks Rate Limiting (Credential Brute-Force)
- Severity:
- High
Description
The HTTP login endpoints (POST /login and POST /signalk/v1/auth/login) are protected by express-rate-limit (default: 100 attempts per 10-minute window, configurable via HTTP_RATE_LIMITS). The WebSocket login path — sending {login: {username, password}} messages over an established WebSocket connection — calls app.securityStrategy.login() directly without any rate limiting.
Recommendation
Update the signalk-server package to the latest compatible version. Followings are version details:
- Affected version(s): <= 2.24.0
- Patched version(s): 2.25.0
References
Related Issues
- Signal K Server has an Unauthenticated Regular Expression Denial of Service (ReDoS) via WebSocket Subscription Paths - CVE-2026-39320
- Signal K Server: Privilege Escalation by Admin Role Injection via /enableSecurity - CVE-2026-33950
- Signal K Server: Arbitrary Prototype Read via `from` Field Bypass - CVE-2026-35038
- Signal K Server vulnerable to JWT Token Theft via WebSocket Enumeration and Unauthenticated Polling - CVE-2025-68620
You might also like:
- Tags:
- npm
- signalk-server
Anything's wrong? Let us know Last updated on May 13, 2026