Signal K RCE: How a Malicious npm Package Can Sink Your Boat
Jan 2, 2026·6 min read·4 visits
Executive Summary (TL;DR)
Authenticated administrators can achieve Remote Code Execution (RCE) on Signal K Server versions prior to 2.19.0. The vulnerability exists because the server passes unsanitized user input directly to `npm install`, allowing an attacker to specify a remote URL instead of a semantic version. This triggers the download of a malicious package and the immediate execution of its `postinstall` scripts.
Signal K Server, the open-source hub for marine data, contained a Remote Code Execution (RCE) vulnerability in its plugin management system. By failing to validate version strings passed to the npm installer, the server allowed authenticated administrators to trick the system into downloading and executing malicious packages from arbitrary URLs.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:NAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
Signal K Server Signal K | < 2.19.0 | 2.19.0 |
| Attribute | Detail |
|---|---|
| Attack Vector | Network (Authenticated API) |
| Impact | Remote Code Execution (RCE) |
| CVSS v4.0 | 7.3 (High) |
| CWE ID | CWE-94 (Improper Control of Generation of Code) |
| Component | Plugin Management / npm wrapper |
| Prerequisites | Admin Credentials |
MITRE ATT&CK Mapping
The product allows user input to control or influence the generation of code that is then executed by the system.