CVE-2026-39320: Signal K Server has an Unauthenticated Regular Expression Denial of Service (ReDoS) via WebSocket Subscription Paths
The SignalK server is vulnerable to an unauthenticated Regular Expression Denial of Service (ReDoS) attack within its WebSocket subscription handling logic. By injecting unescaped regex metacharacters into the context parameter of a stream subscription, an attacker can force the server’s Node.js event loop into a catastrophic backtracking loop when evaluating long string identifiers (like the server’s self UUID). This results in a total Denial of Service (DoS) where the server CPU spikes to 100% and becomes completely unresponsive to further API or socket requests.
References
- github.com/SignalK/signalk-server
- github.com/SignalK/signalk-server/commit/215d81eb700d5419c3396a0fbf23f2e246dfac2d
- github.com/SignalK/signalk-server/pull/2568
- github.com/SignalK/signalk-server/releases/tag/v2.25.0
- github.com/SignalK/signalk-server/security/advisories/GHSA-7gcj-phff-2884
- github.com/advisories/GHSA-7gcj-phff-2884
- nvd.nist.gov/vuln/detail/CVE-2026-39320
Code Behaviors & Features
Detect and mitigate CVE-2026-39320 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →