top of page
perceptive_background_267k.jpg

Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.25.0 are vulnerable to an unauthenticated Regular Expression D…

Published:

20 April 2026 at 22:00:00

Alert date:

21 April 2026 at 07:08:02

Source:

nvd.nist.gov

Click to open the original link from this advisory

Mobile & IoT, Web Technologies

Signal K Server versions prior to 2.25.0 are vulnerable to an unauthenticated Regular Expression Denial of Service (ReDoS) attack in WebSocket subscription handling logic. Attackers can inject unescaped regex metacharacters into the context parameter, causing catastrophic backtracking in the Node.js event loop. This results in complete server unresponsiveness with 100% CPU usage. The vulnerability affects boat hub servers running Signal K Server. Version 2.25.0 contains the fix for this critical DoS vulnerability.

Technical details

Mitigation steps:

Affected products:

Signal K Server

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-39320
https://github.com/SignalK/signalk-server/commit/215d81eb700d5419c3396a0fbf23f2e246dfac2d
https://github.com/SignalK/signalk-server/pull/2568
https://github.com/SignalK/signalk-server/releases/tag/v2.25.0
https://github.com/SignalK/signalk-server/security/advisories/GHSA-7gcj-phff-2884

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page