CVE-2025-66398

CriticalPublic PoC

Published: 01 January 2026

Published

01 January 2026

Modified

06 January 2026

KEV Added

—

Patch

—

CVSS Score 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

EPSS Score 0.0014 33.0th percentile

Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Description

Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.19.0, an unauthenticated attacker can pollute the internal state (`restoreFilePath`) of the server via the `/skServer/validateBackup` endpoint. This allows the attacker…

to hijack the administrator's "Restore" functionality to overwrite critical server configuration files (e.g., `security.json`, `package.json`), leading to account takeover and Remote Code Execution (RCE). Version 2.19.0 patches this vulnerability.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Validates inputs to the `/skServer/validateBackup` endpoint to prevent crafted requests from polluting the `restoreFilePath` internal state.

AC-3 Access Enforcement good match

prevent

Enforces access controls on the `/skServer/validateBackup` endpoint to block unauthenticated attackers from manipulating server state.

SI-2 Flaw Remediation good match

prevent

Remediates the vulnerability by applying the vendor patch in Signal K Server version 2.19.0 that fixes the state pollution issue.

Security SummaryAI

CVE-2025-66398 affects Signal K Server, an application that runs on central hubs in boats, in versions prior to 2.19.0. The vulnerability enables an unauthenticated attacker to pollute the server's internal state, specifically the `restoreFilePath` variable, through the `/skServer/validateBackup` endpoint. This manipulation hijacks the administrator's "Restore" functionality, allowing overwrite of critical configuration files such as `security.json` and `package.json`. The issue is associated with CWE-78 (Improper Neutralization of Special Elements used in an OS Command) and CWE-913 (Improper Control of Dynamically-Managed Code Resources), earning a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).

An unauthenticated remote attacker can exploit this vulnerability by sending crafted requests to the `/skServer/validateBackup` endpoint, requiring subsequent user interaction from an administrator who triggers the restore process. Successful exploitation leads to account takeover by altering security configurations and remote code execution (RCE) through modifications to files like `package.json`, granting full control over the server.

The Signal K Server release notes for version 2.19.0 and the associated GitHub security advisory (GHSA-w3x5-7c4c-66p9) confirm that updating to v2.19.0 fully patches the vulnerability by addressing the state pollution in the validateBackup endpoint. Security practitioners should prioritize upgrading affected boat hub installations to mitigate risks in maritime environments.

Details

CWE(s): CWE-78 CWE-913

Affected Products

signalk

signal k server

≤ 2.19.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability enables unauthenticated remote exploitation of a public-facing web application endpoint (/skServer/validateBackup) in Signal K Server, allowing state pollution of restoreFilePath, file overwrites (e.g., security.json, package.json), account takeover, and RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/SignalK/signalk-server/releases/tag/v2.19.0
Release Notes · security-advisories@github.com
https://github.com/SignalK/signalk-server/security/advisories/GHSA-w3x5-7c4c-66p9
Exploit, Vendor Advisory · security-advisories@github.com