How severe is CVE-2025-66398?

CVE-2025-66398 has a CVSS v3 score of 9.6 (CRITICAL).

CVE-2025-66398

Name: signal_k_server
Author: signalk

9.6CRITICAL

Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.19.0, an unauthenticated attacker can pollute the internal state (`restoreFilePath`) of the server via

Veröffentlicht: 1/1/2026Aktualisiert: 1/6/2026

Beschreibung

Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.19.0, an unauthenticated attacker can pollute the internal state (`restoreFilePath`) of the server via the `/skServer/validateBackup` endpoint. This allows the attacker to hijack the administrator's "Restore" functionality to overwrite critical server configuration files (e.g., `security.json`, `package.json`), leading to account takeover and Remote Code Execution (RCE). Version 2.19.0 patches this vulnerability.

KI-AnalyseKI-gestützt

Betroffene Produkte

signalksignal_k_server

Referenzen

https://github.com/SignalK/signalk-server/releases/tag/v2.19.0
Release Notes
https://github.com/SignalK/signalk-server/security/advisories/GHSA-w3x5-7c4c-66p9
ExploitVendor Advisory