Vulnerabilities ›

CVE-2025-68619

High ⚡ Exploit Available

Signal K Server Arbitrary Code Execution via Malicious npm Package Installation

CWE-94 — Weakness Type

                    Published: Jan 1, 2026                      ·  Modified: Feb 28, 2026                      ·  Source: NVD                

CVSS v3

7.2

🔗 NVD Official

📄 Description (English)

Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19.0 of the appstore interface allow administrators to install npm packages through a REST API endpoint. While the endpoint validates that the package name exists in the npm registry as a known plugin or webapp, the version parameter accepts arbitrary npm version specifiers including URLs. npm supports installing packages from git repositories, GitHub shorthand syntax, and HTTP/HTTPS URLs pointing to tarballs. When npm installs a package, it can automatically execute any `postinstall` script defined in `package.json`, enabling arbitrary code execution. The vulnerability exists because npm's version specifier syntax is extremely flexible, and the SignalK code passes the version parameter directly to npm without sanitization. An attacker with admin access can install a package from an attacker-controlled source containing a malicious `postinstall` script. Version 2.19.0 contains a patch for the issue.

🤖 AI Executive Summary

Signal K Server versions prior to 2.19.0 contain a critical code injection vulnerability in the appstore interface that allows authenticated administrators to execute arbitrary code by installing malicious npm packages through unsanitized version parameters. The vulnerability leverages npm's flexible version specifier syntax and postinstall script execution capabilities. With an available exploit and widespread use in maritime IoT systems, immediate patching is essential for all affected deployments.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: May 8, 2026 19:17

🇸🇦 Saudi Arabia Impact Assessment

While Signal K Server is primarily used in maritime/vessel systems, Saudi Arabia's significant maritime industry (Red Sea ports, Persian Gulf operations, ARAMCO offshore platforms) and growing IoT adoption in critical infrastructure could be affected. Risk is elevated for: (1) ARAMCO and energy sector maritime operations, (2) Port Authority systems in Jeddah and Dammam, (3) Government maritime surveillance systems, (4) Private sector vessel management systems. The vulnerability's requirement for admin access limits immediate risk, but compromised admin credentials or insider threats pose significant concern for critical maritime infrastructure.

🏢 Affected Saudi Sectors

Maritime and Shipping Energy (ARAMCO offshore operations) Port Authority and Logistics Government Maritime Operations IoT Infrastructure Critical Infrastructure

🎯 MITRE ATT&CK Techniques

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution T1195 - Supply Chain Compromise T1547 - Boot or Logon Autostart Execution

⚖️ Saudi Risk Score (AI)

7.8

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Identify all Signal K Server instances in your environment and document current versions

2. Restrict admin access to the appstore interface to only trusted personnel

3. Implement network segmentation to limit access to Signal K Server REST API endpoints

4. Enable audit logging for all appstore package installation activities



PATCHING:

1. Upgrade all Signal K Server instances to version 2.19.0 or later immediately

2. Verify patch installation by checking version output: signalk-server --version

3. Restart all Signal K Server services after patching

4. Test functionality in non-production environment first if possible



COMPENSATING CONTROLS (if immediate patching not possible):

1. Disable the appstore interface entirely if not required for operations

2. Implement firewall rules to restrict access to appstore REST API endpoints to specific trusted IPs

3. Require multi-factor authentication for admin accounts

4. Monitor npm package installation attempts via system logs and process monitoring



DETECTION:

1. Monitor for suspicious npm install commands with unusual version specifiers (containing http://, https://, git://, github:)

2. Alert on any postinstall script execution from Signal K Server processes

3. Monitor outbound connections from Signal K Server to external repositories

4. Review audit logs for appstore API calls with non-standard version parameters

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. حدد جميع مثيلات Signal K Server في بيئتك وقثق الإصدارات الحالية

2. قيد الوصول الإداري إلى واجهة متجر التطبيقات للموظفين الموثوقين فقط

3. طبق تقسيم الشبكة لتحديد الوصول إلى نقاط نهاية REST API لخادم Signal K

4. فعّل تسجيل التدقيق لجميع أنشطة تثبيت حزم متجر التطبيقات

التصحيح:

1. ترقية جميع مثيلات Signal K Server إلى الإصدار 2.19.0 أو أحدث فوراً

2. تحقق من تثبيت التصحيح بفحص إخراج الإصدار: signalk-server --version

3. أعد تشغيل جميع خدمات Signal K Server بعد التصحيح

4. اختبر الوظائف في بيئة غير الإنتاج أولاً إن أمكن

الضوابط البديلة (إذا لم يكن التصحيح الفوري ممكناً):

1. عطّل واجهة متجر التطبيقات بالكامل إذا لم تكن مطلوبة للعمليات

2. طبق قواعد جدار الحماية لتقييد الوصول إلى نقاط نهاية REST API لمتجر التطبيقات إلى عناوين IP موثوقة محددة

3. اطلب المصادقة متعددة العوامل لحسابات المسؤول

4. راقب محاولات تثبيت حزم npm عبر سجلات النظام ومراقبة العمليات

الكشف:

1. راقب أوامر npm install المريبة مع محددات إصدار غير عادية (تحتوي على http://، https://، git://، github:)

2. أصدر تنبيهات لأي تنفيذ سكريبت postinstall من عمليات Signal K Server

3. راقب الاتصالات الصادرة من Signal K Server إلى المستودعات الخارجية

4. راجع سجلات التدقيق لاستدعاءات API لمتجر التطبيقات مع معاملات إصدار غير قياسية

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

5.1.1 - Access Control and Authentication 5.2.1 - Software and Firmware Updates 5.3.1 - Vulnerability Management 5.4.1 - Secure Development Practices

🔵 SAMA CSF

ID.AM-2 - Software Inventory PR.IP-12 - Software Development Security DE.CM-8 - Vulnerability Scanning RS.MI-2 - Incident Response and Management

🟡 ISO 27001:2022

A.12.6.1 - Management of technical vulnerabilities A.14.2.1 - Secure development policy A.14.2.5 - Secure development environment A.12.2.1 - Routine operations and change management

🔗 References & Sources 2

🔗

https://github.com/SignalK/signalk-server/releases/tag/v2.19.0

security-advisories@github.com

Release Notes

🔗

https://github.com/SignalK/signalk-server/security/advisories/GHSA-93jc-vqqc-vvvh

security-advisories@github.com

Exploit Vendor Advisory

📦 Affected Products / CPE 5 entries

signalk:signal_k_server

signalk:signal_k_server:2.19.0

📊 CVSS Score

7.2

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredH — High

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityH — High

IntegrityH — High

AvailabilityH — High

📋 Quick Facts

Severity High

CVSS Score7.2

CWECWE-94

EPSS0.05%

Exploit ✓ Yes

Patch ✓ Yes

Published 2026-01-01

Source Feed nvd

🇸🇦 Saudi Risk Score

7.8

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

exploit-available CWE-94

🏢 Vendor Advisories

🔗 https://github.com/SignalK/signalk-server/security/a...

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2025-68619

💬 Comments

Introduce Yourself

Sign In Required