CVE-2025-66398

Signal K Server has Unauthenticated State Pollution leading to Remote Code Execution (RCE)

CVSS 9.7 CRITICALEPSS 17.9%CWE-78 CWE-913

Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.19.0, an unauthenticated attacker can pollute the internal state (`restoreFilePath`) of the server via the `/skServer/validateBackup` endpoint. This allows the attacker to hijack the administrator's "Restore" functionality to overwrite critical server configuration files (e.g., `security.json`, `package.json`), leading to account takeover and Remote Code Execution (RCE). Version 2.19.0 patches this vulnerability.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected products

SignalK · signalk-server

public PoCs found — 2

githubgithub.com/joshuavanderpoll/cve-2025-66398★ 2 githubgithub.com/showy-headteacher114/cve-2025-66398★ 1

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/SignalK/signalk-server/releases/tag/v2.19.0 https://github.com/SignalK/signalk-server/security/advisories/GHSA-w3x5-7c4c-66p9