CVE-2026-41893

Name of the Vulnerable Software and Affected Versions Signal K Server versions prior to 2.25.0

Description The WebSocket login path, which involves sending {login: {username, password}} messages over an established connection, calls the app.securityStrategy.login() function directly without rate limiting. While the HTTP login endpoints 'POST /login' and 'POST /signalk/v1/auth/login' are protected by express-rate-limit (defaulting to 100 attempts per 10-minute window via HTTP RATE LIMITS), the WebSocket path allows an attacker to bypass these restrictions. This enables unlimited password guessing at the speed allowed by bcrypt, approximately 20 attempts per second. The issue is located in the processLoginRequest function within src/interfaces/ws.ts.

Recommendations Update to version 2.25.0.