Moderate severityOSV Advisory· Published Jan 1, 2026· Updated Jan 2, 2026

Signal K Server Vulnerable to Access Request Spoofing

CVE-2025-69203

Description

Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19.0 of the access request system have two related features that when combined by themselves and with an information disclosure vulnerability enable convincing social engineering attacks against administrators. When a device creates an access request, it specifies three fields: clientId, description, and permissions. The SignalK admin UI displays the description field prominently to the administrator when showing pending requests, but the actual permissions field (which determines the access level granted) is less visible or displayed separately. This allows an attacker to request admin permissions while providing a description that suggests readonly access. The access request handler trusts the X-Forwarded-For HTTP header without validation to determine the client's IP address. This header is intended to preserve the original client IP when requests pass through reverse proxies, but when trusted unconditionally, it allows attackers to spoof their IP address. The spoofed IP is displayed to administrators in the access request approval interface, potentially making malicious requests appear to originate from trusted internal network addresses. Since device/source names can be enumerated via the information disclosure vulnerability, an attacker can impersonate a legitimate device or source, craft a convincing description, spoof a trusted internal IP address, and request elevated permissions, creating a highly convincing social engineering scenario that increases the likelihood of administrator approval. Users should upgrade to version 2.19.0 to fix this issue.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
signalk-servernpm	< 2.19.0	2.19.0

Affected products

Signalk/Signalk ServerOSV
Range: 0.1.1, 0.1.10, 0.1.11, …

Patches

221aff6cd89c

Merge commit from fork

https://github.com/SignalK/signalk-serverTeppo KurkiDec 27, 2025via ghsa

commit

2 files changed · +30 −6

src/events.ts+13 −0 modified

@@ -10,6 +10,12 @@ export function startEvents(
   onEvent: (data: any) => void,
   eventsFromQuery = ''
 ) {
+  if (
+    !app.securityStrategy.isDummy() &&
+    !app.securityStrategy.hasAdminAccess?.(spark.request)
+  ) {
+    return
+  }
   const events = eventsFromQuery.split(',')
   events.forEach((event) => {
     app.on(event, (data: any) => onEvent({ event, data }))
@@ -22,6 +28,13 @@ export function startServerEvents(app: any, spark: any, onServerEvent: any) {
   spark.onDisconnects.push(() => {
     app.removeListener('serverevent', onServerEvent)
   })
+
+  if (app.securityStrategy.hasAdminAccess?.(spark.request)) {
+    app.on('serverAdminEvent', onServerEvent)
+    spark.onDisconnects.push(() => {
+      app.removeListener('serverAdminEvent', onServerEvent)
+    })
+  }
   try {
     spark.write({
       type: 'VESSEL_INFO',

src/tokensecurity.js+17 −6 modified

@@ -136,6 +136,15 @@ module.exports = function (app, config) {
     }
   }
 
+  function hasAdminAccess(req) {
+    return (
+      req.skIsAuthenticated &&
+      req.skPrincipal &&
+      req.skPrincipal.permissions === 'admin'
+    )
+  }
+  strategy.hasAdminAccess = hasAdminAccess
+
   function writeAuthenticationMiddleware() {
     return function (req, res, next) {
       if (!getIsEnabled()) {
@@ -161,10 +170,12 @@ module.exports = function (app, config) {
         return next()
       }
 
+      if (hasAdminAccess(req)) {
+        return next()
+      }
+
       if (req.skIsAuthenticated && req.skPrincipal) {
-        if (req.skPrincipal.permissions === 'admin') {
-          return next()
-        } else if (req.skPrincipal.identifier === 'AUTO' && redirect) {
+        if (req.skPrincipal.identifier === 'AUTO' && redirect) {
           res.redirect('/@signalk/server-admin-ui/#/login')
         } else {
           handlePermissionDenied(req, res, next)
@@ -394,11 +405,11 @@ module.exports = function (app, config) {
   }
 
   strategy.allowRestart = function (req) {
-    return req.skIsAuthenticated && req.skPrincipal.permissions === 'admin'
+    return hasAdminAccess(req)
   }
 
   strategy.allowConfigure = function (req) {
-    return req.skIsAuthenticated && req.skPrincipal.permissions === 'admin'
+    return hasAdminAccess(req)
   }
 
   strategy.getLoginStatus = function (req) {
@@ -973,7 +984,7 @@ module.exports = function (app, config) {
   }
 
   function sendAccessRequestsUpdate() {
-    app.emit('serverevent', {
+    app.emit('serverAdminEvent', {
       type: 'ACCESS_REQUEST',
       from: CONFIG_PLUGINID,
       data: strategy.getAccessRequestsResponse()

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-vfrf-vcj7-wvr8ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-69203ghsaADVISORY
github.com/SignalK/signalk-server/commit/221aff6cd89c56308084d1781b3abbf938605bd3ghsaWEB
github.com/SignalK/signalk-server/releases/tag/v2.19.0ghsax_refsource_MISCWEB
github.com/SignalK/signalk-server/security/advisories/GHSA-vfrf-vcj7-wvr8ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000