Signal K Server vulnerable to JWT Token Theft via WebSocket Enumeration and Unauthenticated Polling
- Severity:
- High
Description
SignalK Server exposes two features that can be chained together to steal JWT authentication tokens without any prior authentication. The attack combines WebSocket-based request enumeration with unauthenticated polling of access request status.
Recommendation
Update the signalk-server package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.19.0
- Patched version(s): 2.19.0
References
Related Issues
- Signal K Server Vulnerable to Remote Code Execution via Malicious npm Package - CVE-2025-68619
- Signal K Server Vulnerable to Unauthenticated Information Disclosure via Exposed Endpoints - CVE-2025-68273
- Signal K Server Vulnerable to Denial of Service via Unrestricted Access Request Flooding - CVE-2025-68272
- Signal K Server has Unauthenticated State Pollution leading to Remote Code Execution (RCE) - CVE-2025-66398
- Tags:
- npm
- signalk-server
Anything's wrong? Let us know Last updated on January 02, 2026