CVE-2025-68273
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-01

Last updated on: 2026-01-06

Assigner: GitHub, Inc.

Description
Signal K Server is a server application that runs on a central hub in a boat. An unauthenticated information disclosure vulnerability in versions prior to 2.19.0 allows any user to retrieve sensitive system information, including the full SignalK data schema, connected serial devices, and installed analyzer tools. This exposure facilitates reconnaissance for further attacks. Version 2.19.0 patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-01
Last Modified
2026-01-06
Generated
2026-06-16
AI Q&A
2026-01-01
EPSS Evaluated
2026-06-15
NVD
CVE-2025-68273
EUVD
EUVD-2025-206138
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
signalk signal_k_server to 2.19.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-NVD-CWE-noinfo
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-68273 is an unauthenticated information disclosure vulnerability in Signal K Server versions prior to 2.19.0. Certain sensitive API endpoints are not protected by authentication, allowing any user to access them without credentials. This lets an attacker retrieve sensitive system information such as the full SignalK data schema, connected serial devices, and installed analyzer tools. This information can be used to understand the system's internal state and plan further attacks. The issue is fixed in version 2.19.0 by adding these endpoints to the authentication middleware. [1]

Impact Analysis

This vulnerability can impact you by exposing sensitive system information to unauthorized users. Attackers can gather detailed data about the vessel's environment, navigation, connected hardware, and installed tools without authentication. This reconnaissance can facilitate further targeted attacks, potentially compromising system security or privacy. Although it does not directly affect system integrity or availability, the information disclosure itself poses a moderate security risk. [1]

Detection Guidance

You can detect this vulnerability by attempting to access the sensitive API endpoints without authentication. Specifically, you can send HTTP GET requests to the following endpoints on the Signal K Server: `/skServer/serialports`, `/skServer/availablePaths`, and `/skServer/hasAnalyzer`. If these endpoints return data without requiring authentication, your system is vulnerable. For example, you can use curl commands like: `curl http://<server_address>/skServer/serialports`, `curl http://<server_address>/skServer/availablePaths`, and `curl http://<server_address>/skServer/hasAnalyzer` to test accessibility. [1]

Mitigation Strategies

The immediate mitigation step is to update the Signal K Server to version 2.19.0 or later, where the vulnerability is patched. The patch adds the missing API endpoints to the authentication middleware, ensuring these sensitive routes require authentication. If updating is not immediately possible, you should restrict access to these endpoints by network controls or manually modify the `src/tokensecurity.js` file to include these endpoints in the authentication middleware protection list. [1]

Compliance Impact

The provided information does not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68273. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart