CVE-2025-68272
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-01

Last updated on: 2026-01-06

Assigner: GitHub, Inc.

Description
Signal K Server is a server application that runs on a central hub in a boat. A Denial of Service (DoS) vulnerability in versions prior to 2.19.0 allows an unauthenticated attacker to crash the SignalK Server by flooding the access request endpoint (`/signalk/v1/access/requests`). This causes a "JavaScript heap out of memory" error due to unbounded in-memory storage of request objects. Version 2.19.0 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-01
Last Modified
2026-01-06
Generated
2026-06-16
AI Q&A
2026-01-01
EPSS Evaluated
2026-06-15
NVD
CVE-2025-68272
EUVD
EUVD-2025-206139
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
signalk signal_k_server to 2.19.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Denial of Service (DoS) issue in the Signal K Server versions prior to 2.19.0. An unauthenticated attacker can flood the access request endpoint (/signalk/v1/access/requests) with a large number of POST requests containing large payloads. The server stores these requests in memory without any limit, causing the JavaScript heap memory to grow uncontrollably until it crashes with an out-of-memory error. This happens because the server does not implement rate limiting or authentication on this endpoint, and the pruning of old requests happens only every 15 minutes, allowing memory to be exhausted quickly. [1]

Impact Analysis

The impact of this vulnerability is a complete denial of service on the Signal K Server. The server crashes due to memory exhaustion and becomes unavailable, requiring a manual restart. This disrupts legitimate users' access to the server and can interrupt critical services such as vessel navigation data, potentially causing operational issues on boats relying on this server. [1]

Detection Guidance

This vulnerability can be detected by monitoring for an unusually high number of POST requests to the endpoint `/signalk/v1/access/requests`. You can use network monitoring tools or command-line utilities like `tcpdump` or `curl` to observe or simulate such traffic. For example, to monitor incoming POST requests to the endpoint on the server, you could use: `tcpdump -i any -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/signalk/v1/access/requests'`. Additionally, checking server logs for repeated POST requests to this endpoint or observing Node.js process crashes with errors like "JavaScript heap out of memory" can indicate exploitation attempts. [1]

Mitigation Strategies

Immediate mitigation steps include upgrading the SignalK Server to version 2.19.0 or later, where the vulnerability is fixed. If upgrading is not immediately possible, implement rate limiting on the `/signalk/v1/access/requests` endpoint to restrict the number of requests per IP address (e.g., using `express-rate-limit`). Additionally, enforce a maximum number of stored requests in memory (such as limiting to 100 requests) and validate or limit the size of payload fields like `description` to prevent excessively large requests. These steps help prevent unbounded memory consumption and server crashes. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68272. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart