DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2025-68272: Sinking the Ship: Signal K Server Heap Exhaustion (CVE-2025-68272)

#security #cve #cybersecurity

Sinking the Ship: Signal K Server Heap Exhaustion (CVE-2025-68272)

Vulnerability ID: CVE-2025-68272
CVSS Score: 7.5
Published: 2026-01-02

A critical Denial of Service vulnerability in Signal K Server allows unauthenticated remote attackers to crash the application via heap exhaustion. By flooding the access request endpoint, the Node.js process runs out of memory, potentially taking down navigation data integration on equipped vessels.

TL;DR

Signal K Server < 2.19.0 contains an unauthenticated memory leak in its device authorization flow. Attackers can spam connection requests with large payloads, filling the JavaScript heap and crashing the server. Fix: Upgrade to 2.19.0+.

⚠️ Exploit Status: POC

Technical Details

  • CWE: CWE-400 (Uncontrolled Resource Consumption)
  • Attack Vector: Network
  • CVSS v3.1: 7.5 (High)
  • Impact: Denial of Service (Availability)
  • Privileges Required: None
  • Component: Access Request Handler

Affected Systems

  • Signal K Server < 2.19.0
  • Signal K Server: < 2.19.0 (Fixed in: 2.19.0)

Code Analysis

Commit: 55e3574

Fix: Limit pending access requests and payload size

+ const PENDING_ACCESS_REQUESTS_LIMIT = 100
+ if (Object.keys(requests).length >= PENDING_ACCESS_REQUESTS_LIMIT)...
Enter fullscreen mode Exit fullscreen mode

Commit: 43462c3

Fix: Add Trust Proxy support for rate limiting

+ app.set('trust proxy', settings.trustProxy)
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Research Analysis: Exploitation is trivial via standard HTTP POST flooding scripts.

Mitigation Strategies

  • Rate Limiting (Express Rate Limit)
  • Payload Size Validation
  • Resource Allocation Caps (Max Pending Requests)
  • Trust Proxy Configuration

Remediation Steps:

  1. Identify the current Signal K Server version via the dashboard or package.json.
  2. Pull the latest Docker image (signalk/signalk-server:latest) or update via npm (npm install -g signalk-server).
  3. Verify the version is >= 2.19.0.
  4. If running behind a reverse proxy (Nginx/Apache), update settings.json to include valid trustProxy settings.

References

Read the full report for CVE-2025-68272 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)