CVE-2025-68272
published 2026-01-01CVE-2025-68272: Signal K Server is a server application that runs on a central hub in a boat. A Denial of Service (DoS) vulnerability in versions prior to 2.19.0 allows an…
PriorityP345high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.52%
40.1th percentile
Signal K Server is a server application that runs on a central hub in a boat. A Denial of Service (DoS) vulnerability in versions prior to 2.19.0 allows an unauthenticated attacker to crash the SignalK Server by flooding the access request endpoint (`/signalk/v1/access/requests`). This causes a "JavaScript heap out of memory" error due to unbounded in-memory storage of request objects. Version 2.19.0 fixes the issue.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| signalk | signal_k_server | < 2.19.0 | 2.19.0 |
| signalk | signalk-server | < 2.19.0 | 2.19.0 |
| signalk | signalk-server | >= 0 < 2.19.0 | 2.19.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Signal K Server Vulnerable to Denial of Service via Unrestricted Access Request Flooding
osv·2026-01-02
CVE-2025-68272 [HIGH] Signal K Server Vulnerable to Denial of Service via Unrestricted Access Request Flooding
Signal K Server Vulnerable to Denial of Service via Unrestricted Access Request Flooding
### Summary
A Denial of Service (DoS) vulnerability allows an unauthenticated attacker to crash the SignalK Server by flooding the access request endpoint (`/signalk/v1/access/requests`). This causes a "JavaScript heap out of memory" error due to unbounded in-memory storage of request objects.
### Details
The vulnerability is caused by a lack of rate limiting and improper memory management for incoming access requests.
**Vulnerable Code Analysis:**
1. **In-Memory Storage**: In `src/requestResponse.js`, requests are stored in a simple JavaScript object:
```javascript
const requests = {}
```
2. **Unbounded Growth**: The `createRequest` function adds new requests to this object without checking the cur
GHSA
Signal K Server Vulnerable to Denial of Service via Unrestricted Access Request Flooding
ghsa·2026-01-02
CVE-2025-68272 [HIGH] CWE-400 Signal K Server Vulnerable to Denial of Service via Unrestricted Access Request Flooding
Signal K Server Vulnerable to Denial of Service via Unrestricted Access Request Flooding
### Summary
A Denial of Service (DoS) vulnerability allows an unauthenticated attacker to crash the SignalK Server by flooding the access request endpoint (`/signalk/v1/access/requests`). This causes a "JavaScript heap out of memory" error due to unbounded in-memory storage of request objects.
### Details
The vulnerability is caused by a lack of rate limiting and improper memory management for incoming access requests.
**Vulnerable Code Analysis:**
1. **In-Memory Storage**: In `src/requestResponse.js`, requests are stored in a simple JavaScript object:
```javascript
const requests = {}
```
2. **Unbounded Growth**: The `createRequest` function adds new requests to this object without checking the cur
No detection rules found.
No public exploits indexed.
2026-01-01
Published