DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2025-66398: Sinking the Ship: Signal K Server State Pollution to RCE

#security #cve #cybersecurity

Sinking the Ship: Signal K Server State Pollution to RCE

Vulnerability ID: CVE-2025-66398
CVSS Score: 9.6
Published: 2026-01-02

A critical vulnerability in Signal K Server allows unauthenticated attackers to pollute a global variable used during backup restoration. By hijacking this shared state, an attacker can overwrite server configurations, gain administrative privileges, and chain a secondary command injection flaw to achieve full Remote Code Execution (RCE).

TL;DR

Signal K Server stored the path to a backup file in a global module variable. Unauthenticated attackers could upload a malicious backup, overwriting this variable. When a legitimate admin later triggered a restore, the server would use the attacker's file instead, leading to account takeover and eventual RCE via a separate command injection bug in the package manager.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-1329 (Reliance on Component State)
  • Secondary CWE: CWE-78 (OS Command Injection)
  • CVSS Score: 9.6 (Critical)
  • Attack Vector: Network (Unauthenticated)
  • Impact: Remote Code Execution (RCE)
  • Exploit Status: PoC Available

Affected Systems

  • Signal K Server < 2.19.0
  • Signal K Server: < 2.19.0 (Fixed in: 2.19.0)

Code Analysis

Commit: 5c211ea

Fix restore state pollution and command injection vulnerabilities

@@ -15,7 +15,7 @@
- var restoreFilePath;
+ const restoreSessions = new Map();
...
Enter fullscreen mode Exit fullscreen mode

Exploit Details

Mitigation Strategies

  • Update Signal K Server to version 2.19.0 or later.
  • Do not expose Signal K Server (port 3000) directly to the internet.
  • Use a VPN (e.g., Tailscale, WireGuard) for remote access.
  • Audit security.json for unrecognized administrator accounts.

Remediation Steps:

  1. Log in to the host machine running Signal K.
  2. Run npm install -g signalk-server@latest.
  3. Restart the Signal K service.
  4. Verify the version is >= 2.19.0 in the dashboard footer.

References

Read the full report for CVE-2025-66398 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)