Signal K Server Vulnerable to Denial of Service via Unrestricted Access Request Flooding
- Severity:
- High
Description
A Denial of Service (DoS) vulnerability allows an unauthenticated attacker to crash the SignalK Server by flooding the access request endpoint (/signalk/v1/access/requests). This causes a “JavaScript heap out of memory” error due to unbounded in-memory storage of request objects.
Recommendation
Update the signalk-server package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.19.0
- Patched version(s): 2.19.0
References
Related Issues
- AWS SDK for JavaScript v3 adopted defense in depth enhancement for region parameter value - Vulnerability
- Signal K Server vulnerable to JWT Token Theft via WebSocket Enumeration and Unauthenticated Polling - CVE-2025-68620
- Signal K Server Vulnerable to Access Request Spoofing - CVE-2025-69203
- Signal K Server Vulnerable to Unauthenticated Information Disclosure via Exposed Endpoints - CVE-2025-68273
- Tags:
- npm
- signalk-server
Anything's wrong? Let us know Last updated on January 02, 2026