CVE-2025-68272
BaseFortify
Publication date: 2026-01-01
Last updated on: 2026-01-06
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| signalk | signal_k_server | to 2.19.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Denial of Service (DoS) issue in the Signal K Server versions prior to 2.19.0. An unauthenticated attacker can flood the access request endpoint (/signalk/v1/access/requests) with a large number of POST requests containing large payloads. The server stores these requests in memory without any limit, causing the JavaScript heap memory to grow uncontrollably until it crashes with an out-of-memory error. This happens because the server does not implement rate limiting or authentication on this endpoint, and the pruning of old requests happens only every 15 minutes, allowing memory to be exhausted quickly. [1]
How can this vulnerability impact me? :
The impact of this vulnerability is a complete denial of service on the Signal K Server. The server crashes due to memory exhaustion and becomes unavailable, requiring a manual restart. This disrupts legitimate users' access to the server and can interrupt critical services such as vessel navigation data, potentially causing operational issues on boats relying on this server. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for an unusually high number of POST requests to the endpoint `/signalk/v1/access/requests`. You can use network monitoring tools or command-line utilities like `tcpdump` or `curl` to observe or simulate such traffic. For example, to monitor incoming POST requests to the endpoint on the server, you could use: `tcpdump -i any -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/signalk/v1/access/requests'`. Additionally, checking server logs for repeated POST requests to this endpoint or observing Node.js process crashes with errors like "JavaScript heap out of memory" can indicate exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading the SignalK Server to version 2.19.0 or later, where the vulnerability is fixed. If upgrading is not immediately possible, implement rate limiting on the `/signalk/v1/access/requests` endpoint to restrict the number of requests per IP address (e.g., using `express-rate-limit`). Additionally, enforce a maximum number of stored requests in memory (such as limiting to 100 requests) and validate or limit the size of payload fields like `description` to prevent excessively large requests. These steps help prevent unbounded memory consumption and server crashes. [1]