CVE-2025-69203

Name of the Vulnerable Software and Affected Versions Signal K Server versions prior to 2.19.0

Description Signal K Server is a server application used on boats. Versions prior to 2.19.0 contain issues in the access request system that, when combined, can be used in social engineering attacks against administrators. The system displays the description field of access requests prominently, while the actual permissions field is less visible. This allows an attacker to request elevated permissions, such as admin, while presenting a description suggesting limited access. Additionally, the server trusts the X-Forwarded-For HTTP header without validation, enabling attackers to spoof their IP address. This spoofed IP address is displayed to administrators, potentially making malicious requests appear to originate from trusted internal network addresses. An attacker can leverage device/source name enumeration to impersonate legitimate devices, craft a convincing description, and spoof a trusted IP address to request elevated permissions, increasing the likelihood of approval.

Recommendations Upgrade to version 2.19.0 to resolve this issue.