CVE-2025-66398
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-01

Last updated on: 2026-01-06

Assigner: GitHub, Inc.

Description
Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.19.0, an unauthenticated attacker can pollute the internal state (`restoreFilePath`) of the server via the `/skServer/validateBackup` endpoint. This allows the attacker to hijack the administrator's "Restore" functionality to overwrite critical server configuration files (e.g., `security.json`, `package.json`), leading to account takeover and Remote Code Execution (RCE). Version 2.19.0 patches this vulnerability.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-01
Last Modified
2026-01-06
Generated
2026-06-16
AI Q&A
2026-01-01
EPSS Evaluated
2026-06-15
NVD
CVE-2025-66398
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
signalk signal_k_server to 2.19.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-913 The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-66398 is a critical vulnerability in the Signal K Server (versions ≀ 2.18.0) that allows an unauthenticated attacker to manipulate a global state variable called 'restoreFilePath' via the '/skServer/validateBackup' endpoint. This state pollution enables the attacker to hijack the server's 'Restore' functionality to overwrite critical configuration files like 'security.json' and 'package.json'. By doing so, the attacker can create a backdoor administrator account and subsequently execute arbitrary system commands remotely (Remote Code Execution) through a command injection vulnerability in the App Store endpoint. The vulnerability is patched in version 2.19.0. [2]

Impact Analysis

This vulnerability can have severe impacts including account takeover by creating unauthorized administrator accounts, Remote Code Execution allowing attackers to run arbitrary commands on the server, and potential denial of service. This compromises the confidentiality, integrity, and availability of the server and its data, potentially leading to full system compromise. [2]

Detection Guidance

Detection can involve monitoring for unauthorized requests to the /skServer/validateBackup and /skServer/restore endpoints, especially from unauthenticated sources. You can check server logs for POST requests to /skServer/validateBackup and subsequent calls to /skServer/restore. Additionally, look for unexpected changes in critical configuration files like security.json and package.json. Network monitoring tools or intrusion detection systems can be configured to alert on such suspicious activity. Specific commands depend on your environment, but for example, using curl to test the endpoint: curl -X POST http://<server>/skServer/validateBackup --data-binary @malicious_backup.zip and checking logs with grep: grep '/skServer/validateBackup' /var/log/signalk-server.log or similar. However, no explicit detection commands are provided in the resources. [2]

Mitigation Strategies

The immediate mitigation step is to upgrade the Signal K Server to version 2.19.0 or later, which patches this vulnerability. This update includes important security fixes that prevent unauthenticated state pollution and restore hijacking. Additionally, restrict access to the server endpoints, implement authentication where possible, and monitor for suspicious activity until the update is applied. [1, 2]

Compliance Impact

This vulnerability allows unauthenticated attackers to take over administrator accounts and execute remote code on the server, potentially leading to unauthorized access, data breaches, and manipulation of critical server configurations. Such security breaches can result in non-compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive data and secure access controls. Therefore, exploitation of this vulnerability could compromise compliance by exposing sensitive information and undermining system integrity. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-66398. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart