CVE-2025-68620

Name of the Vulnerable Software and Affected Versions Signal K Server versions prior to 2.19.0

Description Signal K Server is a server application used on boats. Versions prior to 2.19.0 contain issues that allow attackers to steal JWT authentication tokens without prior authentication. This is achieved by chaining together WebSocket-based request enumeration and unauthenticated polling of access request status. Unauthenticated WebSocket connections with the serverevents=all query parameter allow attackers to receive ACCESS REQUEST events containing details about pending access requests. The access request status endpoint at /signalk/v1/access/requests/:id returns the full state of an access request, including the JWT token in plaintext, without authentication. Attackers can either create their own access requests and poll for the token after approval, or passively monitor the WebSocket stream for legitimate requests and steal the tokens when approved. The startServerEvents function and the queryRequest function are involved in this process.

Recommendations Versions prior to 2.19.0 should be updated to version 2.19.0 or later.