RCE in Signalk Signalk-server

CVE-2025-68619

Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19.0 of the appstore interface allow administrators to install npm packages through a REST API endpoint. While the endpoint validates that th…

Vulnerability class: RCE (Remote Code Execution)

EPSS: 0.001 (15.8th percentile) — read the EPSS interpretation.

Affected products

Signalk Signalk-server — versions < 2.19.0

Weakness classification (CWE)

CWE-94 — Code Injection

References

https://github.com/SignalK/signalk-server/security/advisories/GHSA-93jc-vqqc-vvvh (x_refsource_CONFIRM)
https://github.com/SignalK/signalk-server/releases/tag/v2.19.0 (x_refsource_MISC)