CVE-2025-68620
📋 TL;DR
Signal K Server versions before 2.19.0 allow unauthenticated attackers to steal JWT authentication tokens through two chained vulnerabilities: unauthenticated WebSocket request enumeration and unauthenticated token polling. This enables complete authentication bypass and credential hijacking. Anyone running Signal K Server on boats or marine systems with the vulnerable configuration is affected.
💻 Affected Systems
- Signal K Server
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the Signal K Server with attacker gaining administrative privileges, potentially allowing control over marine navigation systems, data theft, or system disruption.
Likely Case
Attackers steal legitimate device credentials to gain unauthorized access to marine data streams, potentially monitoring or manipulating boat systems.
If Mitigated
With proper network segmentation and authentication controls, impact limited to isolated marine network segments.
🎯 Exploit Status
Attack requires chaining two vulnerabilities but both are straightforward. No authentication needed. Attackers can either create spoofed requests or monitor existing ones.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.19.0
Vendor Advisory: https://github.com/SignalK/signalk-server/security/advisories/GHSA-fq56-hvg6-wvm5
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Stop Signal K Server. 3. Update to version 2.19.0 or later using your package manager or manual installation. 4. Restart Signal K Server. 5. Verify the update was successful.
🔧 Temporary Workarounds
Disable Readonly Access
allSet allow_readonly to false in server configuration to prevent unauthenticated WebSocket connections.
Edit config file: set "allow_readonly": false in security settings
Network Segmentation
allRestrict access to Signal K Server WebSocket (stream) and REST API endpoints to trusted networks only.
Use firewall rules to block external access to port 3000 (default) and WebSocket endpoints
🧯 If You Can't Patch
- Implement strict network access controls to isolate Signal K Server from untrusted networks
- Monitor for unusual WebSocket connections to /signalk/v1/stream?serverevents=all and polling to /signalk/v1/access/requests/
🔍 How to Verify
Check if Vulnerable:
Check if running version <2.19.0 and if WebSocket connections to /signalk/v1/stream?serverevents=all return ACCESS_REQUEST events without authentication.Check Version:
Check server logs or use: curl -s http://localhost:3000/signalk/v1/api/ | grep versionVerify Fix Applied:
Verify version is 2.19.0 or later and that unauthenticated WebSocket connections no longer receive ACCESS_REQUEST events.📡 Detection & Monitoring
Log Indicators:
- Multiple unauthenticated WebSocket connections to stream endpoint
- Unauthenticated polling of access request endpoints
- Unusual JWT token issuance patterns
Network Indicators:
- WebSocket traffic to /signalk/v1/stream?serverevents=all from untrusted sources
- HTTP GET requests to /signalk/v1/access/requests/* without authentication
SIEM Query:
source="signalk-server" AND (uri_path="/signalk/v1/stream" AND query="serverevents=all" AND auth_status="unauthenticated") OR (uri_path="/signalk/v1/access/requests/" AND auth_status="unauthenticated")