CVE-2025-69203
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-01

Last updated on: 2026-01-06

Assigner: GitHub, Inc.

Description
Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19.0 of the access request system have two related features that when combined by themselves and with an information disclosure vulnerability enable convincing social engineering attacks against administrators. When a device creates an access request, it specifies three fields: `clientId`, `description`, and `permissions`. The SignalK admin UI displays the `description` field prominently to the administrator when showing pending requests, but the actual `permissions` field (which determines the access level granted) is less visible or displayed separately. This allows an attacker to request `admin` permissions while providing a description that suggests readonly access. The access request handler trusts the `X-Forwarded-For` HTTP header without validation to determine the client's IP address. This header is intended to preserve the original client IP when requests pass through reverse proxies, but when trusted unconditionally, it allows attackers to spoof their IP address. The spoofed IP is displayed to administrators in the access request approval interface, potentially making malicious requests appear to originate from trusted internal network addresses. Since device/source names can be enumerated via the information disclosure vulnerability, an attacker can impersonate a legitimate device or source, craft a convincing description, spoof a trusted internal IP address, and request elevated permissions, creating a highly convincing social engineering scenario that increases the likelihood of administrator approval. Users should upgrade to version 2.19.0 to fix this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-01
Last Modified
2026-01-06
Generated
2026-05-07
AI Q&A
2026-01-01
EPSS Evaluated
2026-05-05
NVD
CVE-2025-69203
EUVD
EUVD-2025-206135
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
signalk signal_k_server to 2.19.0 (exc)
signalk signal_k_server 2.19.0
signalk signal_k_server 2.19.0
signalk signal_k_server 2.19.0
signalk signal_k_server 2.19.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-290 This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in Signal K Server versions prior to 2.19.0 involves attackers exploiting how access requests are handled. When a device requests access, it sends a description and permissions. The admin UI prominently shows the description but less visibly the permissions, allowing attackers to mislead admins by showing a benign description while requesting admin-level permissions. Additionally, the system trusts the X-Forwarded-For HTTP header without validation, letting attackers spoof their IP address to appear as trusted internal devices. Combined with an information disclosure flaw that lets attackers enumerate legitimate device names, this enables highly convincing social engineering attacks to gain elevated access. [1]


How can this vulnerability impact me? :

An attacker can exploit this vulnerability to trick administrators into granting them admin privileges by spoofing device descriptions and IP addresses. This can lead to unauthorized administrative access, potentially allowing attackers to bypass authentication, manipulate system settings, or access sensitive data. The impact includes low confidentiality, integrity, and availability losses but can escalate if combined with other vulnerabilities like token theft. [1]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

Detection involves monitoring access requests for suspicious patterns such as mismatched descriptions and permissions, and spoofed IP addresses via the X-Forwarded-For header. Administrators should audit logs to compare the X-Forwarded-For header against actual connection IPs. Commands to check HTTP headers in logs or live traffic include using tools like tcpdump or curl. For example, tcpdump can capture HTTP requests: `tcpdump -i <interface> -A -s 0 'tcp port 80 or tcp port 443' | grep X-Forwarded-For`. Additionally, reviewing server logs for access requests with elevated permissions but misleading descriptions can help detect exploitation attempts. [1]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include upgrading SignalK Server to version 2.19.0 or later, which fixes the issue. Additionally, configure the server to validate the X-Forwarded-For header by trusting it only from known, trusted proxy IP addresses (e.g., using Express.js trust proxy settings). Implement logging of both forwarded and actual connection IPs for auditing purposes. Enforce that administrators explicitly select permission levels during access request approval rather than relying on client-supplied values. Consider IP whitelisting to allow access requests only from known device IPs, preventing spoofed requests from external sources. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart