Signal K Server Vulnerable to Remote Code Execution via Malicious npm Package
- Severity:
- High
Description
The SignalK appstore interface allows administrators to install npm packages through a REST API endpoint. While the endpoint validates that the package name exists in the npm registry as a known plugin or webapp, the version parameter accepts arbitrary npm version specifiers including URLs.
Recommendation
Update the signalk-server package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.9.0
- Patched version(s): 2.9.0
References
Related Issues
- React Router has Path Traversal in File Session Storage (GHSA-9583-h5hc-x8cw) - CVE-2025-61686
- Signal K Server Vulnerable to Access Request Spoofing - CVE-2025-69203
- Signal K Server Vulnerable to Unauthenticated Information Disclosure via Exposed Endpoints - CVE-2025-68273
- Signal K Server Vulnerable to Denial of Service via Unrestricted Access Request Flooding - CVE-2025-68272
- Tags:
- npm
- signalk-server
Anything's wrong? Let us know Last updated on January 06, 2026