CVE-2025-68619
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-01

Last updated on: 2026-01-06

Assigner: GitHub, Inc.

Description
Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19.0 of the appstore interface allow administrators to install npm packages through a REST API endpoint. While the endpoint validates that the package name exists in the npm registry as a known plugin or webapp, the version parameter accepts arbitrary npm version specifiers including URLs. npm supports installing packages from git repositories, GitHub shorthand syntax, and HTTP/HTTPS URLs pointing to tarballs. When npm installs a package, it can automatically execute any `postinstall` script defined in `package.json`, enabling arbitrary code execution. The vulnerability exists because npm's version specifier syntax is extremely flexible, and the SignalK code passes the version parameter directly to npm without sanitization. An attacker with admin access can install a package from an attacker-controlled source containing a malicious `postinstall` script. Version 2.19.0 contains a patch for the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-01
Last Modified
2026-01-06
Generated
2026-05-07
AI Q&A
2026-01-01
EPSS Evaluated
2026-05-05
NVD
CVE-2025-68619
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
signalk signal_k_server to 2.19.0 (exc)
signalk signal_k_server 2.19.0
signalk signal_k_server 2.19.0
signalk signal_k_server 2.19.0
signalk signal_k_server 2.19.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?

Detection can involve monitoring the appstore REST API endpoint for npm package installation requests that include non-semver version parameters such as URLs, git repository links, or GitHub shorthand syntax. Additionally, inspecting installed npm packages for unexpected sources or postinstall scripts can help identify exploitation. Specific commands might include: 1) Checking running processes or logs for npm install commands with unusual version specifiers. 2) Using network monitoring tools to detect HTTP/HTTPS requests to suspicious URLs during package installation. 3) Auditing installed packages with commands like `npm ls` to review package versions and sources. 4) Searching for postinstall scripts in installed packages by inspecting their package.json files, e.g., `grep -r postinstall node_modules/*/package.json`. However, no exact commands are provided in the resources. [1]


Can you explain this vulnerability to me?

This vulnerability in Signal K Server versions prior to 2.19.0-beta.4 allows an attacker with administrative access to execute arbitrary code remotely. The appstore REST API endpoint lets administrators install npm packages by specifying a package name and version. While the package name is validated against known SignalK plugins or webapps, the version parameter is not sanitized and accepts arbitrary npm version specifiers, including URLs and git repositories. Since npm automatically runs any postinstall scripts defined in the package, an attacker can supply a malicious package with a harmful postinstall script, leading to remote code execution on the server with SignalK process privileges. [1]


How can this vulnerability impact me? :

Exploitation of this vulnerability can lead to full system compromise. An attacker can execute arbitrary code on the SignalK server, potentially resulting in data theft, installation of backdoors, lateral movement within the network, denial of service, and manipulation of marine navigation data such as spoofing AIS messages, altering GPS data, injecting false sensor readings, or sending shutdown commands to boat engines via NMEA 2000/0183 protocols. [1]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include: 1) Restricting package installation to only allow semantic versioning (semver) format for the version parameter, preventing URLs or git references. 2) Using npm's `--ignore-scripts` flag during package installation to prevent execution of lifecycle scripts such as postinstall. 3) Implementing an allowlist of approved packages to restrict what can be installed. 4) Sandboxing the package installation process to limit potential damage from malicious code execution. 5) Upgrading Signal K Server to version 2.19.0 or later, which contains a patch for this vulnerability. [1]


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability allows an attacker with administrative access to execute arbitrary code on the SignalK server, potentially leading to full system compromise including data theft and manipulation of data. Such unauthorized access and data breaches could result in non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive data against unauthorized access and ensuring system integrity. Therefore, exploitation of this vulnerability could negatively impact compliance with these standards by exposing sensitive data and compromising system security. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart