CVE-2025-68619

Exploit

EPSS 0.05%
Veröffentlicht 01.01.2026 18:35:19
Zuletzt bearbeitet 06.01.2026 17:57:24
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19.0 of the appstore interface allow administrators to install npm packages through a REST API endpoint. While the endpoint validates that the package name exists in the npm registry as a known plugin or webapp, the version parameter accepts arbitrary npm version specifiers including URLs. npm supports installing packages from git repositories, GitHub shorthand syntax, and HTTP/HTTPS URLs pointing to tarballs. When npm installs a package, it can automatically execute any `postinstall` script defined in `package.json`, enabling arbitrary code execution. The vulnerability exists because npm's version specifier syntax is extremely flexible, and the SignalK code passes the version parameter directly to npm without sanitization. An attacker with admin access can install a package from an attacker-controlled source containing a malicious `postinstall` script. Version 2.19.0 contains a patch for the issue.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Signalk ≫ Signal K Server Version < 2.19.0

Signalk ≫ Signal K Server Version2.19.0 Updatebeta1

Signalk ≫ Signal K Server Version2.19.0 Updatebeta2

Signalk ≫ Signal K Server Version2.19.0 Updatebeta3

Signalk ≫ Signal K Server Version2.19.0 Updatebeta4

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.05%	0.164

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.2	1.2	5.9	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	7.3	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

https://github.com/SignalK/signalk-server/releases/tag/v2.19.0

Release Notes

https://github.com/SignalK/signalk-server/security/advisories/GHSA-93jc-vqqc-vvvh

Vendor Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2025-68619

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-68619

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-68619

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-68619