CVE-2025-66398

Sinking the Ship: Signal K Server State Pollution to RCE

Alon Barad
Alon Barad
Software Engineer

Jan 2, 2026·6 min read·0 visits

Executive Summary (TL;DR)

Signal K Server stored the path to a backup file in a global module variable. Unauthenticated attackers could upload a malicious backup, overwriting this variable. When a legitimate admin later triggered a restore, the server would use the attacker's file instead, leading to account takeover and eventual RCE via a separate command injection bug in the package manager.

A critical vulnerability in Signal K Server allows unauthenticated attackers to pollute a global variable used during backup restoration. By hijacking this shared state, an attacker can overwrite server configurations, gain administrative privileges, and chain a secondary command injection flaw to achieve full Remote Code Execution (RCE).

Official Patches

Signal KRelease notes for version 2.19.0 containing the fix

Fix Analysis (1)

Technical Appendix

CVSS Score
9.6/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Probability
0.04%
Top 100% most exploited

Affected Systems

Signal K Server < 2.19.0

Affected Versions Detail

Product
Affected Versions
Fixed Version
Signal K Server
Signal K
< 2.19.02.19.0
AttributeDetail
CWE IDCWE-1329 (Reliance on Component State)
Secondary CWECWE-78 (OS Command Injection)
CVSS Score9.6 (Critical)
Attack VectorNetwork (Unauthenticated)
ImpactRemote Code Execution (RCE)
Exploit StatusPoC Available

MITRE ATT&CK Mapping

T1190Exploit Public-Facing Application
Initial Access
T1098Account Manipulation
Persistence
T1059.004Command and Scripting Interpreter: Unix Shell
Execution
CWE-662
Improper Synchronization

Known Exploits & Detection

GitHub Security AdvisoryAdvisory detailing the state pollution and RCE chain

Vulnerability Timeline

Vulnerability patched in commit 5c211ea
2025-01-14
Version 2.19.0 released
2025-01-15
GitHub Advisory Published
2025-01-15