CVE-2025-68273
BaseFortify
Publication date: 2026-01-01
Last updated on: 2026-01-06
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| signalk | signal_k_server | to 2.19.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
| CWE-NVD-CWE-noinfo |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-68273 is an unauthenticated information disclosure vulnerability in Signal K Server versions prior to 2.19.0. Certain sensitive API endpoints are not protected by authentication, allowing any user to access them without credentials. This lets an attacker retrieve sensitive system information such as the full SignalK data schema, connected serial devices, and installed analyzer tools. This information can be used to understand the system's internal state and plan further attacks. The issue is fixed in version 2.19.0 by adding these endpoints to the authentication middleware. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by exposing sensitive system information to unauthorized users. Attackers can gather detailed data about the vessel's environment, navigation, connected hardware, and installed tools without authentication. This reconnaissance can facilitate further targeted attacks, potentially compromising system security or privacy. Although it does not directly affect system integrity or availability, the information disclosure itself poses a moderate security risk. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by attempting to access the sensitive API endpoints without authentication. Specifically, you can send HTTP GET requests to the following endpoints on the Signal K Server: `/skServer/serialports`, `/skServer/availablePaths`, and `/skServer/hasAnalyzer`. If these endpoints return data without requiring authentication, your system is vulnerable. For example, you can use curl commands like: `curl http://<server_address>/skServer/serialports`, `curl http://<server_address>/skServer/availablePaths`, and `curl http://<server_address>/skServer/hasAnalyzer` to test accessibility. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Signal K Server to version 2.19.0 or later, where the vulnerability is patched. The patch adds the missing API endpoints to the authentication middleware, ensuring these sensitive routes require authentication. If updating is not immediately possible, you should restrict access to these endpoints by network controls or manually modify the `src/tokensecurity.js` file to include these endpoints in the authentication middleware protection list. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.