DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2025-68619: Signal K RCE: How a Malicious npm Package Can Sink Your Boat

#security #cve #cybersecurity

Signal K RCE: How a Malicious npm Package Can Sink Your Boat

Vulnerability ID: CVE-2025-68619
CVSS Score: 7.3
Published: 2026-01-02

Signal K Server, the open-source hub for marine data, contained a Remote Code Execution (RCE) vulnerability in its plugin management system. By failing to validate version strings passed to the npm installer, the server allowed authenticated administrators to trick the system into downloading and executing malicious packages from arbitrary URLs.

TL;DR

Authenticated administrators can achieve Remote Code Execution (RCE) on Signal K Server versions prior to 2.19.0. The vulnerability exists because the server passes unsanitized user input directly to npm install, allowing an attacker to specify a remote URL instead of a semantic version. This triggers the download of a malicious package and the immediate execution of its postinstall scripts.

⚠️ Exploit Status: POC

Technical Details

  • Attack Vector: Network (Authenticated API)
  • Impact: Remote Code Execution (RCE)
  • CVSS v4.0: 7.3 (High)
  • CWE ID: CWE-94 (Improper Control of Generation of Code)
  • Component: Plugin Management / npm wrapper
  • Prerequisites: Admin Credentials

Affected Systems

  • Signal K Server < 2.19.0
  • Signal K Server: < 2.19.0 (Fixed in: 2.19.0)

Code Analysis

Commit: f06140b

Fix: Validate npm version string to prevent arbitrary URL installation

if (version && version !== '' && !semver.valid(version)) { ...
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Theoretical: Exploitation relies on standard npm functionality to install from remote URLs.

Mitigation Strategies

  • Input Validation
  • Principle of Least Privilege
  • Network Segmentation

Remediation Steps:

  1. Update Signal K Server to version 2.19.0 or later immediately.
  2. Review the server logs for any installation attempts from unusual URLs or packages.
  3. Ensure the Signal K admin interface is not exposed to the public internet.
  4. Run the Signal K server process with a dedicated, low-privilege user account, not root.

References

Read the full report for CVE-2025-68619 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)