DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2025-68273: Leaking the Bilge: Signal K Server Unauthenticated Info Disclosure

#security #cve #cybersecurity

Leaking the Bilge: Signal K Server Unauthenticated Info Disclosure

Vulnerability ID: CVE-2025-68273
CVSS Score: 5.3
Published: 2026-01-02

Signal K Server, the open-source nervous system for modern connected boats, suffered from a classic 'fail-open' security architecture. By forgetting to manually whitelist three API endpoints in a centralized security file, developers inadvertently exposed system internals and hardware configurations to unauthenticated remote attackers.

TL;DR

Versions of Signal K Server prior to 2.19.0 allow unauthenticated access to sensitive diagnostic endpoints. Attackers can map serial ports, view the full server data schema, and fingerprint installed analyzers due to a missing authorization check in the application's middleware routing logic.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-200
  • Attack Vector: Network
  • CVSS Score: 5.3
  • Impact: Information Disclosure
  • Patch Commit: ead2a03d8994969cafcca0320abee16f0e66e7a9
  • Exploit Status: PoC Available

Affected Systems

  • Signal K Server < 2.19.0
  • Signal K Server: < 2.19.0 (Fixed in: 2.19.0)

Code Analysis

Commit: ead2a03

Fix: add missing paths to security middleware lists

diff --git a/src/tokensecurity.js b/src/tokensecurity.js
... + '/availablePaths',
+ '/hasAnalyzer',
...
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Research Analysis: Manual verification using curl confirms unauthenticated access to endpoints.

Mitigation Strategies

  • Upgrade to Signal K Server v2.19.0 immediately.
  • Place the server behind a reverse proxy (Nginx/Apache) with Basic Auth if remote access is required.
  • Use VPNs (Tailscale, WireGuard) instead of port forwarding for remote access.
  • Audit custom plugins to ensure they implement their own security checks.

Remediation Steps:

  1. Pull the latest Docker image: docker pull signalk/signalk-server
  2. Or update via npm: npm install -g signalk-server
  3. Restart the server service.
  4. Verify access to /skServer/serialports returns a 401 Unauthorized.

References

Read the full report for CVE-2025-68273 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)