CVE-2025-66398: Signal K Server has Unauthenticated State Pollution leading to Remote Code Execution (RCE)
An unauthenticated attacker can pollute the internal state (restoreFilePath) of the server via the /skServer/validateBackup endpoint. This allows the attacker to hijack the administrator’s “Restore” functionality to overwrite critical server configuration files (e.g., security.json, package.json), leading to account takeover and Remote Code Execution (RCE).
References
- github.com/SignalK/signalk-server
- github.com/SignalK/signalk-server/commit/5c211eaf33f0ccadbaed6720264780d92afbd7f8
- github.com/SignalK/signalk-server/releases/tag/v2.19.0
- github.com/SignalK/signalk-server/security/advisories/GHSA-w3x5-7c4c-66p9
- github.com/advisories/GHSA-w3x5-7c4c-66p9
- nvd.nist.gov/vuln/detail/CVE-2025-66398
Code Behaviors & Features
Detect and mitigate CVE-2025-66398 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →