CVE-2025-66398

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-66398

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-66398.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2025-66398

Aliases

GHSA-w3x5-7c4c-66p9

Published

2026-01-01T18:00:38.575Z

Modified

2026-01-08T06:45:27.724430Z

Severity

9.6 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H CVSS Calculator

Summary

Signal K Server has Unauthenticated State Pollution leading to Remote Code Execution (RCE)

Details

Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.19.0, an unauthenticated attacker can pollute the internal state (restoreFilePath) of the server via the /skServer/validateBackup endpoint. This allows the attacker to hijack the administrator's "Restore" functionality to overwrite critical server configuration files (e.g., security.json, package.json), leading to account takeover and Remote Code Execution (RCE). Version 2.19.0 patches this vulnerability.

Database specific

{
    "cwe_ids": [
        "CWE-78",
        "CWE-913"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/66xxx/CVE-2025-66398.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/signalk/signalk-server

Affected ranges

Type: GIT
Repo: https://github.com/signalk/signalk-server
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

3037c517bb8de70c4b74b61192c57d6176731571

Affected versions

0.*

0.1.1

0.1.10

0.1.11

0.1.12

0.1.13

0.1.18

0.1.19

0.1.2

0.1.3

0.1.4

0.1.5

0.1.6

0.1.7

0.1.8

0.1.9

Other

latest

v0.*

v0.1.24

v0.1.26

v0.1.27

v0.1.28

v0.1.29

v0.1.30

v0.1.33

v1.*

v1.0.0

v1.0.0-0

v1.0.0-1

v1.0.0-2

v1.0.0-3

v1.0.0-4

v1.1.0

v1.1.1

v1.1.2

v1.10.0

v1.10.1

v1.10.2

v1.12.0

v1.13.0

v1.13.1

v1.14.0

v1.15.0

v1.16.0

v1.17.0

v1.18.0

v1.19.0

v1.19.0-beta.2

v1.2.0

v1.2.1

v1.2.2

v1.2.3

v1.2.4

v1.20.0

v1.21.0

v1.22.0

v1.23.0

v1.24.0

v1.25.0

v1.26.0

v1.27.0

v1.27.1

v1.28.0

v1.29.0

v1.3.0

v1.30.0

v1.31.0

v1.32.0

v1.32.0-beta.1

v1.32.0-beta.2

v1.32.0-beta.3

v1.33.0

v1.33.0-beta.1

v1.34.0

v1.35.0

v1.35.1

v1.35.2

v1.36.0

v1.36.0-beta.1

v1.36.0-beta.2

v1.36.0-beta.3

v1.37.0

v1.37.0-beta.1

v1.37.0-beta.3

v1.37.1

v1.37.2

v1.37.3

v1.37.4

v1.37.5

v1.37.6

v1.38.0

v1.38.1

v1.39.0

v1.4.0

v1.4.1

v1.4.2

v1.4.3

v1.40.0

v1.41.0

v1.41.0-beta.1

v1.41.0-beta.2

v1.41.0-beta.3

v1.41.0-beta.4

v1.41.1

v1.41.2

v1.41.3

v1.42.0

v1.43.0

v1.44.0

v1.45.0

v1.46.0

v1.46.1

v1.46.2

v1.46.3

v1.5.0

v1.6.0

v1.7.0

v1.7.1

v1.8.0

v1.9.0

v1.9.1

v2.*

v2.0.0

v2.0.0-beta.10

v2.0.0-beta.11

v2.0.0-beta.12

v2.0.0-beta.2

v2.0.0-beta.3

v2.0.0-beta.4

v2.0.0-beta.5

v2.0.0-beta.6

v2.0.0-beta.7

v2.0.0-beta.8

v2.0.0-beta.9

v2.1.0

v2.1.1

v2.10.0

v2.11.0

v2.12.0

v2.13.0

v2.13.0-beta.0

v2.13.0-beta.1

v2.13.0-beta.2

v2.13.0-beta.3

v2.13.1

v2.13.2

v2.13.3

v2.13.4

v2.13.5

v2.14.0

v2.14.0-beta.0

v2.14.0-beta.1

v2.14.1

v2.14.2

v2.14.3

v2.14.4

v2.15.0

v2.15.0-beta.5

v2.15.0-beta.6

v2.15.1

v2.15.2

v2.15.3

v2.16.0

v2.17.0

v2.17.1

v2.17.2

v2.18.0

v2.19.0-beta.1

v2.19.0-beta.2

v2.19.0-beta.3

v2.19.0-beta.4

v2.19.0-beta.5

v2.2.0

v2.3.0

v2.3.1

v2.4.1

v2.5.0

v2.6.0

v2.6.1

v2.6.2

v2.7.0

v2.7.1

v2.7.2

v2.8.0

v2.8.1

v2.8.2

v2.8.3

v2.9.0

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-66398.json"