CVE-2025-66398
9.60.04%
Sinking the Ship: Signal K Server State Pollution to RCE
Alon Barad
Software EngineerJan 2, 2026·6 min read·2 visits
PoC Available
Executive Summary (TL;DR)
Signal K Server stored the path to a backup file in a global module variable. Unauthenticated attackers could upload a malicious backup, overwriting this variable. When a legitimate admin later triggered a restore, the server would use the attacker's file instead, leading to account takeover and eventual RCE via a separate command injection bug in the package manager.
A critical vulnerability in Signal K Server allows unauthenticated attackers to pollute a global variable used during backup restoration. By hijacking this shared state, an attacker can overwrite server configurations, gain administrative privileges, and chain a secondary command injection flaw to achieve full Remote Code Execution (RCE).
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS Score
9.6/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:HEPSS Probability
0.04%
Top 100% most exploited
Affected Systems
Signal K Server < 2.19.0
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
Signal K Server Signal K | < 2.19.0 | 2.19.0 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-1329 (Reliance on Component State) |
| Secondary CWE | CWE-78 (OS Command Injection) |
| CVSS Score | 9.6 (Critical) |
| Attack Vector | Network (Unauthenticated) |
| Impact | Remote Code Execution (RCE) |
| Exploit Status | PoC Available |
MITRE ATT&CK Mapping
CWE-662
Improper Synchronization
Known Exploits & Detection
Vulnerability Timeline
Vulnerability patched in commit 5c211ea
2025-01-14
Version 2.19.0 released
2025-01-15
GitHub Advisory Published
2025-01-15