CVE-2025-68620: Signal K: Sinking the Ship with a Leaky WebSocket

#security #cve #cybersecurity

Signal K: Sinking the Ship with a Leaky WebSocket

Vulnerability ID: CVE-2025-68620
CVSS Score: 9.1
Published: 2026-01-02

A critical authentication bypass in Signal K Server allows unauthenticated attackers to hijack administrative sessions. By listening to the public WebSocket stream for access request IDs and polling an insecure REST endpoint, attackers can steal valid JWTs the moment an administrator approves a legitimate device.

TL;DR

Signal K Server broadcasted sensitive 'access request' events—including request IDs—to unauthenticated WebSocket clients. Coupled with a polling endpoint that returned plaintext JWTs upon request approval, this allowed attackers to passively snoop on legitimate login attempts and steal the resulting session tokens, granting full administrative control over the vessel's data server.

⚠️ Exploit Status: POC

Technical Details

Attack Vector: Network (WebSocket & REST)
CVSS v3.1: 9.1 (Critical)
CWE: CWE-306 (Missing Authentication for Critical Function)
Exploit Status: PoC Available
Impact: Full Admin Compromise
Prerequisites: None (Unauthenticated)

Affected Systems

Signal K Server
Signal K Server: < 2.19.0 (Fixed in: 2.19.0)

Code Analysis

Commit: 221aff6

Fix access request information leak via serverAdminEvent

ts
- app.emit('serverEvent', ...)
+ app.emit('serverAdminEvent', ...)

Exploit Details

Research Analysis: Logic flaw in event handling allows token recovery.

Mitigation Strategies

Upgrade to Signal K Server v2.19.0+
Disable 'allow_readonly' in server configuration
Implement VPN access for remote monitoring instead of exposing ports

Remediation Steps:

Stop the Signal K server service.
Run npm install -g signalk-server (or update via your specific package manager/Docker container).
Verify the version is >= 2.19.0.
Restart the service.
Check security logs for unknown approved devices.