Unknown · Signal K Server · CVE-2026-41893
**Name of the Vulnerable Software and Affected Versions**
Signal K Server versions prior to 2.25.0
**Description**
The WebSocket login path, which involves sending `{login: {username, password}}` messages over an established connection, calls the `app.securityStrategy.login()` function directly without rate limiting. While the HTTP login endpoints 'POST /login' and 'POST /signalk/v1/auth/login' are protected by `express-rate-limit` (defaulting to 100 attempts per 10-minute window via `HTTP RATE LIMITS`), the WebSocket path allows an attacker to bypass these restrictions. This enables unlimited password guessing at the speed allowed by bcrypt, approximately 20 attempts per second. The issue is located in the `processLoginRequest` function within `src/interfaces/ws.ts`.
**Recommendations**
Update to version 2.25.0.