Critical severityOSV Advisory· Published Jan 1, 2026· Updated Jan 5, 2026
Signal K Server has Unauthenticated State Pollution leading to Remote Code Execution (RCE)
CVE-2025-66398
Description
Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.19.0, an unauthenticated attacker can pollute the internal state (restoreFilePath) of the server via the /skServer/validateBackup endpoint. This allows the attacker to hijack the administrator's "Restore" functionality to overwrite critical server configuration files (e.g., security.json, package.json), leading to account takeover and Remote Code Execution (RCE). Version 2.19.0 patches this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
signalk-servernpm | < 2.19.0 | 2.19.0 |
Affected products
2- Range: 0.1.1, 0.1.10, 0.1.11, …
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-w3x5-7c4c-66p9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-66398ghsaADVISORY
- github.com/SignalK/signalk-server/commit/5c211eaf33f0ccadbaed6720264780d92afbd7f8ghsaWEB
- github.com/SignalK/signalk-server/releases/tag/v2.19.0ghsax_refsource_MISCWEB
- github.com/SignalK/signalk-server/security/advisories/GHSA-w3x5-7c4c-66p9ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.