CVE-2025-66398
published 2026-01-01CVE-2025-66398: Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.19.0, an unauthenticated attacker can pollute the internal…
PriorityP271high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
17.93%
96.8th percentile
Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.19.0, an unauthenticated attacker can pollute the internal state (`restoreFilePath`) of the server via the `/skServer/validateBackup` endpoint. This allows the attacker to hijack the administrator's "Restore" functionality to overwrite critical server configuration files (e.g., `security.json`, `package.json`), leading to account takeover and Remote Code Execution (RCE). Version 2.19.0 patches this vulnerability.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| signalk | signal_k_server | < 2.19.0 | 2.19.0 |
| signalk | signalk-server | < 2.19.0 | 2.19.0 |
| signalk | signalk-server | >= 0 < 2.19.0 | 2.19.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Signal K Server has Unauthenticated State Pollution leading to Remote Code Execution (RCE)
osv·2026-01-02
CVE-2025-66398 [CRITICAL] Signal K Server has Unauthenticated State Pollution leading to Remote Code Execution (RCE)
Signal K Server has Unauthenticated State Pollution leading to Remote Code Execution (RCE)
### Summary
An unauthenticated attacker can pollute the internal state (`restoreFilePath`) of the server via the `/skServer/validateBackup` endpoint. This allows the attacker to hijack the administrator's "Restore" functionality to overwrite critical server configuration files (e.g., `security.json`, `package.json`), leading to account takeover and Remote Code Execution (RCE).
### Details
The vulnerability is caused by the use of a module-level global variable `restoreFilePath` in `src/serverroutes.ts`, which is shared across all requests.
**Vulnerable Code Analysis:**
1. **Global State**: `restoreFilePath` is defined at the top level of the module.
```typescript
// src/serverroutes.ts
let restore
GHSA
Signal K Server has Unauthenticated State Pollution leading to Remote Code Execution (RCE)
ghsa·2026-01-02
CVE-2025-66398 [CRITICAL] CWE-78 Signal K Server has Unauthenticated State Pollution leading to Remote Code Execution (RCE)
Signal K Server has Unauthenticated State Pollution leading to Remote Code Execution (RCE)
### Summary
An unauthenticated attacker can pollute the internal state (`restoreFilePath`) of the server via the `/skServer/validateBackup` endpoint. This allows the attacker to hijack the administrator's "Restore" functionality to overwrite critical server configuration files (e.g., `security.json`, `package.json`), leading to account takeover and Remote Code Execution (RCE).
### Details
The vulnerability is caused by the use of a module-level global variable `restoreFilePath` in `src/serverroutes.ts`, which is shared across all requests.
**Vulnerable Code Analysis:**
1. **Global State**: `restoreFilePath` is defined at the top level of the module.
```typescript
// src/serverroutes.ts
let restore
No detection rules found.
No public exploits indexed.
2026-01-01
Published