CVE-2025-68619

HIGH

Signal K Server <2.19.0 - Code Injection

Title source: llm

Description

Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19.0 of the appstore interface allow administrators to install npm packages through a REST API endpoint. While the endpoint validates that the package name exists in the npm registry as a known plugin or webapp, the version parameter accepts arbitrary npm version specifiers including URLs. npm supports installing packages from git repositories, GitHub shorthand syntax, and HTTP/HTTPS URLs pointing to tarballs. When npm installs a package, it can automatically execute any `postinstall` script defined in `package.json`, enabling arbitrary code execution. The vulnerability exists because npm's version specifier syntax is extremely flexible, and the SignalK code passes the version parameter directly to npm without sanitization. An attacker with admin access can install a package from an attacker-controlled source containing a malicious `postinstall` script. Version 2.19.0 contains a patch for the issue.

References (2)

Core 2

Core References

Exploit, Vendor Advisory x_refsource_confirm

https://github.com/SignalK/signalk-server/security/advisories/GHSA-93jc-vqqc-vvvh

Release Notes x_refsource_misc

https://github.com/SignalK/signalk-server/releases/tag/v2.19.0

Scores

CVSS v3 7.2

EPSS 0.0006

EPSS Percentile 19.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-94

Status published

Products (3)

npm/signalk-server 0 - 2.9.0npm

signalk/signal_k_server 2.19.0 beta1 (4 CPE variants)

signalk/signal_k_server < 2.19.0

Published Jan 01, 2026

Tracked Since Feb 18, 2026