CVE-2026-39320
ReDoS Vulnerability in Signal K Server Causes Complete DoS
Publication date: 2026-04-21
Last updated on: 2026-04-24
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| signalk | signal_k_server | to 2.25.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1333 | The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles. |
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability described in CVE-2026-39320 results in a Denial of Service (DoS) condition by allowing unauthenticated attackers to cause the SignalK server to become unresponsive through a Regular Expression Denial of Service (ReDoS) attack. This impacts the availability of the server but does not directly disclose or compromise sensitive data.
While the CVE and associated resources do not explicitly mention compliance with standards such as GDPR or HIPAA, the availability impact caused by this vulnerability could indirectly affect compliance. For example, GDPR and HIPAA require ensuring the availability and resilience of systems processing personal or health data. A DoS attack that renders the server unresponsive could violate these availability requirements.
Furthermore, the fix implemented in version 2.25.0, including proper input sanitization and rate limiting, helps mitigate the risk of service disruption, thereby supporting compliance with such standards by maintaining system availability and reducing the risk of abuse.
Can you explain this vulnerability to me?
CVE-2026-39320 is a high-severity vulnerability in the Signal K Server, a server application running on a boat's central hub. Versions prior to 2.25.0 are vulnerable to an unauthenticated Regular Expression Denial of Service (ReDoS) attack. The issue arises because the server improperly handles user-supplied subscription path strings in its WebSocket subscription logic, converting them into regular expressions without fully escaping all regex metacharacters.
An attacker can inject crafted regex patterns containing nested quantifiers into the `context` parameter of a stream subscription. When the server evaluates these malicious regexes against long string identifiers (like the server's UUID), the regex engine enters catastrophic backtracking, causing the Node.js event loop to lock up. This results in the server's CPU spiking to 100% and becoming completely unresponsive to API or socket requests, effectively causing a total Denial of Service.
The vulnerability requires no authentication or user interaction and can be triggered remotely over the network. It was fixed in version 2.25.0 by properly escaping all regex metacharacters before compiling subscription path strings into regular expressions.
How can this vulnerability impact me? :
This vulnerability can cause a complete Denial of Service (DoS) on the Signal K Server. An attacker can remotely send specially crafted WebSocket subscription requests that cause the server's Node.js event loop to become stuck in a catastrophic regex evaluation loop.
The impact includes the server's CPU usage spiking to 100%, making it completely unresponsive to any further API or socket requests. This means legitimate users and systems relying on the server will experience outages and loss of service.
Since the attack requires no authentication and can be performed remotely, it poses a significant availability risk to any deployment of vulnerable Signal K Server versions prior to 2.25.0.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability manifests as a Denial of Service (DoS) condition where the SignalK server's CPU usage spikes to 100% and the server becomes unresponsive to API or socket requests. This occurs when an attacker injects crafted regular expression metacharacters into the WebSocket subscription's context parameter, causing catastrophic backtracking in the regex engine.
Detection can be performed by monitoring the server's CPU usage and responsiveness, especially during WebSocket subscription requests. A proof-of-concept involves establishing a WebSocket connection and sending a subscription payload with malicious regex patterns (e.g., nested quantifiers like '([a-z0-9:-]+)+!') in the context parameter, then observing if the server becomes unresponsive or if HTTP polling requests experience increasing latency or timeouts.
Specific commands are not provided in the available resources. However, network or system administrators can monitor for unusually high CPU usage on the SignalK server process and inspect WebSocket subscription requests for suspicious regex metacharacters in the context parameter.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade the SignalK server to version 2.25.0 or later, which contains a fix for this vulnerability by properly escaping all regex metacharacters in subscription path strings before compiling them into regular expressions.
Additionally, the release includes implementation of rate limiting on the WebSocket login endpoint to prevent abuse, which helps mitigate related brute-force attack vectors.
If upgrading immediately is not possible, monitoring and restricting WebSocket subscription requests that contain unescaped regex metacharacters in the context parameter may help reduce risk, although no specific workaround commands are provided.