Sinking the Ship: Signal K Server Heap Exhaustion (CVE-2025-68272)

Amit Schendel

Senior Security Researcher

Jan 2, 2026·5 min read·5 visits

PoC Available

Executive Summary (TL;DR)

Signal K Server < 2.19.0 contains an unauthenticated memory leak in its device authorization flow. Attackers can spam connection requests with large payloads, filling the JavaScript heap and crashing the server. Fix: Upgrade to 2.19.0+.

A critical Denial of Service vulnerability in Signal K Server allows unauthenticated remote attackers to crash the application via heap exhaustion. By flooding the access request endpoint, the Node.js process runs out of memory, potentially taking down navigation data integration on equipped vessels.

Attack Flow Diagram

Official Patches

Signal KCommit fixing the resource exhaustion

Fix Analysis (2)

Technical Appendix

CVSS Score

7.5/ 10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Probability

0.04%

Top 100% most exploited

Affected Systems

Signal K Server < 2.19.0

Affected Versions Detail

Product	Affected Versions	Fixed Version
Signal K Server Signal K	< 2.19.0	2.19.0

Attribute	Detail
CWE	CWE-400 (Uncontrolled Resource Consumption)
Attack Vector	Network
CVSS v3.1	7.5 (High)
Impact	Denial of Service (Availability)
Privileges Required	None
Component	Access Request Handler

MITRE ATT&CK Mapping

T1499Endpoint Denial of Service

Impact

T1499.003Application Exhaustion Flood

Impact

CWE-400

Uncontrolled Resource Consumption

The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.

Known Exploits & Detection

Research AnalysisExploitation is trivial via standard HTTP POST flooding scripts.

Vulnerability Timeline

Vulnerability Analysis Published

2025-02-14

Patched in v2.19.0

2025-01-20