CVE-2025-66398

Опубликовано: 01 янв. 2026

Источник: nvd

CVSS3: 9.6

CVSS3: 8.8

EPSS Низкий

Описание

Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.19.0, an unauthenticated attacker can pollute the internal state (restoreFilePath) of the server via the /skServer/validateBackup endpoint. This allows the attacker to hijack the administrator's "Restore" functionality to overwrite critical server configuration files (e.g., security.json, package.json), leading to account takeover and Remote Code Execution (RCE). Version 2.19.0 patches this vulnerability.

Ссылки

https://github.com/SignalK/signalk-server/releases/tag/v2.19.0
Release Notes
https://github.com/SignalK/signalk-server/security/advisories/GHSA-w3x5-7c4c-66p9
Exploit
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:signalk:signal_k_server:*:*:*:*:*:*:*:*

Версия до 2.19.0 (исключая)

EPSS

Процентиль: 38%

0.00169

Низкий

9.6 Critical

CVSS3

8.8 High

CVSS3

Дефекты

CWE-78

Связанные уязвимости

GHSA-w3x5-7c4c-66p9

CVSS3: 9.6

github

около 1 месяца назад

Signal K Server has Unauthenticated State Pollution leading to Remote Code Execution (RCE)

EPSS

Процентиль: 38%

0.00169

Низкий

9.6 Critical

CVSS3

8.8 High

CVSS3

Дефекты

CWE-78