CVE-2025-68619: Signal K Server Vulnerable to Remote Code Execution via Malicious npm Package
(updated )
The SignalK appstore interface allows administrators to install npm packages through a REST API endpoint. While the endpoint validates that the package name exists in the npm registry as a known plugin or webapp, the version parameter accepts arbitrary npm version specifiers including URLs. npm supports installing packages from git repositories, GitHub shorthand syntax, and HTTP/HTTPS URLs pointing to tarballs. When npm installs a package, it can automatically execute any postinstall script defined in package.json, enabling arbitrary code execution.
The vulnerability exists because npm’s version specifier syntax is extremely flexible, and the SignalK code passes the version parameter directly to npm without sanitization. An attacker with admin access can install a package from an attacker-controlled source containing a malicious postinstall script.
References
- github.com/SignalK/signalk-server
- github.com/SignalK/signalk-server/commit/f06140bed702de93a5dbb6b33dc2486960764d1d
- github.com/SignalK/signalk-server/releases/tag/v2.19.0
- github.com/SignalK/signalk-server/security/advisories/GHSA-93jc-vqqc-vvvh
- github.com/advisories/GHSA-93jc-vqqc-vvvh
- nvd.nist.gov/vuln/detail/CVE-2025-68619
Code Behaviors & Features
Detect and mitigate CVE-2025-68619 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →