Lost at Sea: Windows Path Traversal in Signal K Server
Vulnerability ID: CVE-2026-25228
CVSS Score: 5.0
Published: 2026-02-02
A classic 'Linux-brain' implementation error in Signal K Server exposes Windows installations to directory traversal. By failing to sanitize backslashes in the applicationData API, authenticated users can escape the application sandbox to read and write arbitrary files on the underlying filesystem.
TL;DR
Signal K Server (marine data software) forgot that Windows uses backslashes () for paths. Authenticated attackers can use ..\ sequences to traverse out of the data directory and access sensitive system files on Windows hosts.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-22 (Path Traversal)
- CVSS v3.1: 5.0 (Medium)
- Attack Vector: Network (Authenticated)
- Platform: Windows
- Impact: File Read/Write outside web root
- Fix Version: 2.20.3
Affected Systems
- Signal K Server (Windows)
-
Signal K Server: < 2.20.3 (Fixed in:
2.20.3)
Code Analysis
Commit: 9bcf61c
Fix path traversal vulnerability on Windows by adding backslash check and path normalization
function validateAppId(appid) {
- return appid.length < 30 && appid.indexOf('/') === -1 ? appid : null
+ return appid.length < 30 && appid.indexOf('/') === -1 && appid.indexOf('\\') === -1 ? appid : null
}
Exploit Details
- Speculative: Traversal via URL encoded backslashes in appid parameter on Windows hosts.
Mitigation Strategies
- Update Signal K Server to version 2.20.3 or later.
- Restrict network access to trusted IPs only.
- Run the server with the least privilege possible (avoid Administrative accounts on Windows).
Remediation Steps:
- Stop the Signal K Server.
- Run
npm install -g signalk-serverto fetch the latest version. - Restart the server.
- Verify the version in the dashboard footer reads 2.20.3+.
References
Read the full report for CVE-2026-25228 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)