CVE-2025-68619
7.30.07%
Signal K RCE: How a Malicious npm Package Can Sink Your Boat
Amit Schendel
Senior Security ResearcherJan 2, 2026·6 min read·7 visits
PoC Available
Executive Summary (TL;DR)
Authenticated administrators can achieve Remote Code Execution (RCE) on Signal K Server versions prior to 2.19.0. The vulnerability exists because the server passes unsanitized user input directly to `npm install`, allowing an attacker to specify a remote URL instead of a semantic version. This triggers the download of a malicious package and the immediate execution of its `postinstall` scripts.
Signal K Server, the open-source hub for marine data, contained a Remote Code Execution (RCE) vulnerability in its plugin management system. By failing to validate version strings passed to the npm installer, the server allowed authenticated administrators to trick the system into downloading and executing malicious packages from arbitrary URLs.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS Score
7.3/ 10
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:NEPSS Probability
0.07%
Top 100% most exploited
Affected Systems
Signal K Server < 2.19.0
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
Signal K Server Signal K | < 2.19.0 | 2.19.0 |
| Attribute | Detail |
|---|---|
| Attack Vector | Network (Authenticated API) |
| Impact | Remote Code Execution (RCE) |
| CVSS v4.0 | 7.3 (High) |
| CWE ID | CWE-94 (Improper Control of Generation of Code) |
| Component | Plugin Management / npm wrapper |
| Prerequisites | Admin Credentials |
MITRE ATT&CK Mapping
CWE-94
Improper Control of Generation of Code ('Code Injection')
The product allows user input to control or influence the generation of code that is then executed by the system.
Known Exploits & Detection
Vulnerability Timeline
Patch Commit Merged
2025-02-14
Version 2.19.0 Released
2025-02-14
CVE Published
2025-02-18