CVE-2026-25228

Name of the Vulnerable Software and Affected Versions Signal K Server versions prior to 2.20.3

Description Signal K Server, a server application used in marine environments, contains a path traversal issue in its applicationData API. Authenticated users on Windows systems can potentially read, write, and list arbitrary files and directories on the filesystem. The validateAppId() function inadequately validates input, specifically failing to block backslashes (``), which are recognized as directory separators on Windows systems. This allows attackers to bypass the intended applicationData directory restrictions. The vulnerability exists due to the incomplete sanitization of the appid parameter within the validateAppId() function. The function only checks for forward slashes (/) and does not account for backslashes, which, when combined with the path.join() function on Windows, enables directory traversal sequences like ....... A proof-of-concept (PoC) script demonstrates the ability to traverse directory levels and access sensitive files.

Recommendations Versions prior to 2.20.3: Add backslash validation to the validateAppId() function. Versions prior to 2.20.3: Utilize path.normalize() and validate that the resolved paths remain within the intended directory.