CVE-2025-66398
BaseFortify
Publication date: 2026-01-01
Last updated on: 2026-01-06
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| signalk | signal_k_server | to 2.19.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-913 | The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-66398 is a critical vulnerability in the Signal K Server (versions β€ 2.18.0) that allows an unauthenticated attacker to manipulate a global state variable called 'restoreFilePath' via the '/skServer/validateBackup' endpoint. This state pollution enables the attacker to hijack the server's 'Restore' functionality to overwrite critical configuration files like 'security.json' and 'package.json'. By doing so, the attacker can create a backdoor administrator account and subsequently execute arbitrary system commands remotely (Remote Code Execution) through a command injection vulnerability in the App Store endpoint. The vulnerability is patched in version 2.19.0. [2]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including account takeover by creating unauthorized administrator accounts, Remote Code Execution allowing attackers to run arbitrary commands on the server, and potential denial of service. This compromises the confidentiality, integrity, and availability of the server and its data, potentially leading to full system compromise. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can involve monitoring for unauthorized requests to the /skServer/validateBackup and /skServer/restore endpoints, especially from unauthenticated sources. You can check server logs for POST requests to /skServer/validateBackup and subsequent calls to /skServer/restore. Additionally, look for unexpected changes in critical configuration files like security.json and package.json. Network monitoring tools or intrusion detection systems can be configured to alert on such suspicious activity. Specific commands depend on your environment, but for example, using curl to test the endpoint: curl -X POST http://<server>/skServer/validateBackup --data-binary @malicious_backup.zip and checking logs with grep: grep '/skServer/validateBackup' /var/log/signalk-server.log or similar. However, no explicit detection commands are provided in the resources. [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the Signal K Server to version 2.19.0 or later, which patches this vulnerability. This update includes important security fixes that prevent unauthenticated state pollution and restore hijacking. Additionally, restrict access to the server endpoints, implement authentication where possible, and monitor for suspicious activity until the update is applied. [1, 2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthenticated attackers to take over administrator accounts and execute remote code on the server, potentially leading to unauthorized access, data breaches, and manipulation of critical server configurations. Such security breaches can result in non-compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive data and secure access controls. Therefore, exploitation of this vulnerability could compromise compliance by exposing sensitive information and undermining system integrity. [2]