CVE-2026-39320

Name of the Vulnerable Software and Affected Versions Signal K Server versions prior to 2.25.0

Description An unauthenticated Regular Expression Denial of Service (ReDoS) exists within the WebSocket subscription handling logic. By injecting unescaped regex metacharacters into the context parameter of a stream subscription, an attacker can trigger catastrophic backtracking in the Node.js event loop when the server evaluates long string identifiers. This occurs because the contextMatcher() and pathMatcher() functions in signalk-server/src/subscriptionmanager.ts fail to escape dangerous metacharacters such as +, (, ), ?, [, and ]. Consequently, the server CPU spikes to 100%, rendering the system completely unresponsive to API or socket requests.

Recommendations Update Signal K Server to version 2.25.0.