CVE-2026-41893
WebSocket Authentication Bypass in Signal K Server
Publication date: 2026-05-09
Last updated on: 2026-05-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| signalk | signalk_server | 2.24.0 |
| signalk | signalk_server | to 2.25.0 (exc) |
| signalk | signalk_server | 2.25.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-307 | The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in Signal K Server versions 2.24.0 and earlier involves the WebSocket login endpoint lacking rate limiting protections. While the HTTP login endpoints enforce rate limits (default 100 attempts per 10 minutes), the WebSocket login path allows attackers to bypass these limits entirely by sending unlimited login attempts over an established WebSocket connection.
This allows an attacker to perform rapid brute-force password guessing at about 20 attempts per second, limited only by bcrypt's processing speed. Multiple parallel WebSocket connections can multiply the attack speed, enabling large dictionary attacks in minutes.
The root cause is that the WebSocket login handler directly calls the login function without any throttling, unlike the HTTP login routes which use express-rate-limit middleware.
How can this vulnerability impact me? :
This vulnerability can allow attackers to perform unlimited brute-force login attempts on the Signal K Server via WebSocket connections, bypassing HTTP rate limits.
Such attacks can lead to unauthorized access if weak or common passwords are used, compromising the security of the server and potentially the boat's network where the server is deployed.
The high speed of attempts (around 20 per second per connection) means attackers can quickly try large password dictionaries, increasing the risk of credential compromise.
This can result in unauthorized control or data access on the boat's central hub, impacting operational security and safety.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unusually high numbers of login attempts over WebSocket connections to the Signal K server, especially attempts that bypass the HTTP login rate limits.
Since the vulnerability involves unlimited password guesses sent via WebSocket messages containing login credentials, detection involves observing WebSocket traffic for repeated login messages from the same IP address at a high rate (approximately 20 attempts per second or more).
Suggested commands or approaches include:
- Use network packet capture tools (e.g., tcpdump or Wireshark) to filter WebSocket traffic to the server and analyze for repeated login messages.
- Example tcpdump command to capture WebSocket traffic on port 80 or 443 (adjust port as needed): tcpdump -i <interface> tcp port 80 or tcp port 443 -w capture.pcap
- Analyze captured traffic for repeated JSON messages containing {login: {username, password}} over WebSocket frames.
- Check server logs for high-frequency login attempts or authentication failures originating from the same IP address.
- If available, enable or review rate limiting logs or alerts that indicate excessive login attempts.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the Signal K server to version 2.25.0 or later, where the vulnerability has been patched.
Version 2.25.0 introduces a shared, per-IP rate limiter that enforces a combined login attempt budget across both HTTP and WebSocket login endpoints, preventing attackers from bypassing rate limits via WebSocket.
Additional mitigation steps include:
- Apply the patch or update that implements the custom LoginRateLimiter module, which limits login attempts to 100 per 10 minutes per IP address, shared between HTTP and WebSocket.
- Configure and verify that the server correctly extracts client IP addresses, including respecting the X-Forwarded-For header if behind a proxy, to ensure accurate rate limiting.
- Monitor login attempts and consider additional network-level protections such as firewall rules to limit access to the Signal K server from untrusted networks.
- If upgrading immediately is not possible, consider temporarily disabling or restricting WebSocket login access or implementing external rate limiting or intrusion detection systems.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Signal K Server allows attackers to bypass HTTP rate limiting by using the WebSocket login endpoint to perform unlimited brute-force password guessing attacks. This can lead to unauthorized access to user accounts or sensitive data.
Such unauthorized access risks violating common security requirements found in standards and regulations like GDPR and HIPAA, which mandate protection of personal data and secure authentication mechanisms to prevent unauthorized access.
By enabling rapid brute-force attacks without effective rate limiting, the vulnerability undermines the integrity and confidentiality of user authentication, potentially leading to data breaches and non-compliance with these regulations.
The fix implemented in version 2.25.0 introduces a unified per-IP rate limiter across both HTTP and WebSocket login endpoints, mitigating the risk and helping restore compliance with security best practices required by such standards.