CVE-2025-68619

Name of the Vulnerable Software and Affected Versions Signal K Server versions prior to 2.19.0

Description Signal K Server is a server application used in marine environments. Versions prior to 2.19.0 of the appstore interface allow administrators to install npm packages through a REST API endpoint. The endpoint validates the package name against the npm registry, but the version parameter accepts arbitrary npm version specifiers, including URLs. npm's ability to install packages from various sources, such as git repositories and HTTP/HTTPS URLs, and execute postinstall scripts within package.json enables arbitrary code execution. The issue arises from the lack of sanitization of the version parameter before it is passed to npm. An attacker with administrative access can exploit this by installing a package from a malicious source containing a harmful postinstall script. The postinstall script is a section within the package.json file that defines commands to be executed after a package is installed.

Recommendations Versions prior to 2.19.0 should be updated to version 2.19.0 or later.