CVE 9.7 CRITICAL

Signal K Server has Unauthenticated State Pollution leading to Remote Code Execution (RCE)_CVE-2025-66398

January 1, 2026 invoker category_cve

9.7 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Description

Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.19.0, an unauthenticated attacker can pollute the internal state (`restoreFilePath`) of the server via the `/skServer/validateBackup` endpoint. This allows the attacker to hijack the administrator's "Restore" functionality to overwrite critical server configuration files (e.g., `security.json`, `package.json`), leading to account takeover and Remote Code Execution (RCE). Version 2.19.0 patches this vulnerability.

AI Analysis

Unauthenticated state pollution vulnerability allowing account takeover and Remote Code Execution (RCE)

Basic Information

ID CVE-2025-66398

Source GitHub_M

Published Jan 1, 2026 at 18:00

Affected Product

Vendor SignalK

Product signalk-server

Version < 2.19.0

Affected Versions SignalK signalk-server < 2.19.0

CWE Classification

CWE-78 CWE-913

AI Assessment

AI Score 9.7 / 10

AI Severity Critical

Vendor SignalK

Product signalk-server

Version < 2.19.0

References

{
    "lastseen": "",
    "description": "Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.19.0, an unauthenticated attacker can pollute the internal state (`restoreFilePath`) of the server via the `/skServer/validateBackup` endpoint. This allows the attacker to hijack the administrator's \"Restore\" functionality to overwrite critical server configuration files (e.g., `security.json`, `package.json`), leading to account takeover and Remote Code Execution (RCE). Version 2.19.0 patches this vulnerability.",
    "published": "2026-01-01T18:00:38.575Z",
    "modified": "2026-01-01T18:00:38.575Z",
    "type": "cve",
    "title": "Signal K Server has Unauthenticated State Pollution leading to Remote Code Execution (RCE)",
    "source": "GitHub_M",
    "references": "https://github.com/SignalK/signalk-server/security/advisories/GHSA-w3x5-7c4c-66p9\nhttps://github.com/SignalK/signalk-server/releases/tag/v2.19.0",
    "id": "CVE-2025-66398",
    "bulletinFamily": "",
    "cwe": [
        "CWE-78",
        "CWE-913"
    ],
    "cvelist": null,
    "sourceData": "SignalK signalk-server < 2.19.0",
    "sourceHref": "",
    "cvss": {
        "score": 9.7,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "signalk-server",
    "version": "< 2.19.0",
    "vendor": "SignalK",
    "ai_description": "Unauthenticated state pollution vulnerability allowing account takeover and Remote Code Execution (RCE)",
    "ai_severity": "Critical",
    "ai_vendor": "SignalK",
    "ai_product": "signalk-server",
    "ai_version": "< 2.19.0",
    "ai_score": 9.7
}

💭 Join the Security Discussion ❌ Cancel Reply