CVE-2026-39320: CVE-2026-39320: Unauthenticated ReDoS in Signal K Server WebSocket Subscriptions

CVE-2026-39320: Unauthenticated ReDoS in Signal K Server WebSocket Subscriptions

Vulnerability ID: CVE-2026-39320
CVSS Score: 7.5
Published: 2026-04-21

Signal K Server prior to version 2.25.0 contains a Regular Expression Denial of Service (ReDoS) vulnerability in its WebSocket subscription handling module. The application dynamically compiles unvalidated user input into regular expressions, allowing unauthenticated remote attackers to trigger catastrophic backtracking in the Node.js V8 engine. This results in complete resource exhaustion and immediate denial of service.

TL;DR

Unauthenticated attackers can send crafted WebSocket messages containing nested regex quantifiers to Signal K Server, triggering a ReDoS condition that blocks the Node.js event loop and causes 100% CPU exhaustion.

---

⚠️ Exploit Status: POC

Technical Details

• CVSS v3.1: 7.5 (High)
• CWE IDs: CWE-1333, CWE-400
• Attack Vector: Network (Unauthenticated)
• Impact: Denial of Service (100% CPU exhaustion)
• EPSS Score: 0.00041 (12.57th percentile)
• Exploit Status: Proof of Concept (PoC) available
• CISA KEV: Not Listed

Affected Systems

• Signal K Server < 2.25.0
• Signal K Server: < 2.25.0 (Fixed in: 2.25.0)

Code Analysis

Commit: 215d81e

Fix ReDoS in subscriptionmanager contextMatcher via escape-string-regexp

Exploit Details

• Vulnerability Context Payload: JSON payload containing nested quantifier targeting the context parameter

Mitigation Strategies

• Upgrade Signal K Server to version 2.25.0 or later.
• Implement Web Application Firewall (WAF) rules to detect and drop WebSocket payloads containing nested regex quantifiers.
• Restrict network access to the WebSocket port (default 3000) using firewalls or VPNs, allowing only trusted client connections.
• Deploy reverse proxies that enforce authentication prior to allowing WebSocket protocol upgrades.

Remediation Steps:

1. Identify all running instances of Signal K Server in the environment.
2. Check the current running version via the web interface or by executing npm list -g signalk-server.
3. Stop the running server process.
4. Execute the update command: npm install -g signalk-server@latest.
5. Restart the Signal K Server process and verify the active version is 2.25.0 or higher.
6. Monitor CPU usage and system logs to confirm the absence of lingering ReDoS artifacts.

References

• NVD Record for CVE-2026-39320
• GitHub Security Advisory GHSA-7gcj-phff-2884
• CVE.org Record for CVE-2026-39320
• Tenable Analysis for CVE-2026-39320

---

Read the full report for CVE-2026-39320 on our website for more details including interactive diagrams and full exploit analysis.