CVE-2025-66398

Name of the Vulnerable Software and Affected Versions Signal K Server versions prior to 2.19.0

Description Signal K Server, a server application used on boats, is susceptible to an issue where an unauthenticated attacker can manipulate the server's internal state. This manipulation occurs through the /skServer/validateBackup API endpoint, specifically targeting the restoreFilePath variable. Successful exploitation allows an attacker to hijack the administrator's "Restore" functionality, enabling them to overwrite critical server configuration files such as security.json and package.json. This can lead to account takeover and Remote Code Execution (RCE).

Recommendations Versions prior to 2.19.0 should be updated to version 2.19.0 or later.