Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.25.0 are vulnerable to an unauthenticated Regular Expression D…

Signal K Server versions prior to 2.25.0 contain an unauthenticated Regular Expression Denial of Service (ReDoS) vulnerability in WebSocket subscription handling logic. Attackers can inject unescaped regex metacharacters into the context parameter of stream subscriptions, causing catastrophic backtracking loops in the Node.js event loop. This results in complete server denial of service with 100% CPU usage and total unresponsiveness to API or socket requests. The vulnerability affects the server's self UUID evaluation process. Version 2.25.0 contains a fix for this critical issue.