GHSA-CXJ8-GGF2-P57C

Vulnerability from github – Published: 2026-04-03 21:43 – Updated: 2026-04-03 21:43
VLAI?
Summary
Signal K Server: OAuth Authorization Code Theft via Unvalidated Host Header in OIDC Flow
Details

Summary

SignalK Server contains a code-level vulnerability in its OIDC login and logout handlers where the unvalidated HTTP Host header is used to construct the OAuth2 redirect_uri. Because the redirectUri configuration is silently unset by default, an attacker spoof the Host header to steal OAuth authorization codes and hijack user sessions in realistic deployments as The OIDC provider will then send the authorization code to whatever domain was injected.

The OIDC specification requires redirect_uri to be pre-registered and not derived from untrusted input. Constructing it from the Host header violates this requirement and introduces a trust boundary break. This risk is actively amplified by SignalK's official documentation, which instructs administrators to deploy an Nginx configuration that forwards the vulnerable Host header, exposing production environments.

Vulnerability Root Cause

Two factors combine to create this vulnerability:

Factor 1: redirectUri is optional with an unsafe fallback In types.ts:30, redirectUri is declared as optional

export interface OIDCConfig {
  // ...
  redirectUri?: string   // ← Optional, no default value
  // ...
}

The defaults in types.ts:175-185 do not include a redirectUri: never checks or warns about a missing redirectUri. This means a fully "valid" OIDC configuration can exist without redirectUri, silently activating the vulnerable fallback path.

export const OIDC_DEFAULTS: Omit<OIDCConfig, 'issuer' | 'clientId' | 'clientSecret'> = {
  enabled: false,
  scope: 'openid email profile',
  defaultPermission: 'readonly',
  autoCreateUsers: true,
  providerName: 'SSO Login',
  autoLogin: false
  // ← No redirectUri default
}

Factor 2: Unsafe Host header usage in two locations Location 1 — Login handler in oidc-auth.ts:278-282:

const protocol = req.secure ? 'https' : 'http'
const host = req.get('host')                          // ← Attacker-controlled
const redirectUri =
  oidcConfig.redirectUri ||                            // ← Only safe if explicitly set
  `${protocol}://${host}${skAuthPrefix}/oidc/callback` // ← Uses attacker's Host

This redirectUri flows into createAuthState() → buildAuthorizationUrl() → OIDC provider's redirect_uri parameter. The OIDC provider will then send the authorization code to whatever domain was injected.

Location 2 — Logout handler in oidc-auth.ts:513-515:

const protocol = req.secure ? 'https' : 'http'
const host = req.get('host')                            // ← Same pattern
const fullPostLogoutUri = `${protocol}://${host}${postLogoutRedirect}`

This constructs the post_logout_redirect_uri sent to the OIDC provider's end_session_endpoint, allowing an attacker to redirect the user to an attacker controlled domain after logout.

Official Documentation Enables the Attack

SignalK's own security documentation at docs/security.md:222-228 provides the recommended nginx reverse proxy configuration: The proxy_set_header Host $host; directive forwards the client-supplied Host header to the backend unmodified. Without this directive, nginx would replace the Host header with the upstream address (localhost:3000), which would neutralize the injection.

location / {
    proxy_pass http://localhost:3000;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header Host $host;   # ← Forwards client's Host header to SignalK
}

Administrators who follow the official documentation are directly enabling this vulnerability behind their reverse proxy.

Proof of Concept

Tested against SignalK Server v2.23.0 in Docker with OIDC enabled .

Step 1 — Send login request with injected Host header: $response = Invoke-WebRequest -Uri "http://localhost:3000/signalk/v1/auth/oidc/login" -Headers @{"Host"="evil.com"} -MaximumRedirection 0 -ErrorAction SilentlyContinue -UseBasicParsing

Step 2: Decode and print the injected redirect URL [uri]::UnescapeDataString($response.Headers.Location) Screenshot 2026-03-25 171251

Impact

  • Authorization Code Theft: The OIDC provider sends the OAuth authorization code to the attacker's domain instead of the legitimate server.
  • Session Hijack: The attacker can exchange the stolen code for tokens and create a session as the victim user.
  • Logout Redirect Hijack: The logout handler has the same pattern, allowing post-logout redirection to an attacker domain (phishing opportunity).
Severity ?
6.1 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "signalk-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.20.0"
            },
            {
              "fixed": "2.24.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-34083"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-346",
      "CWE-601"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-03T21:43:22Z",
    "nvd_published_at": "2026-04-02T17:16:23Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nSignalK Server contains a code-level vulnerability in its OIDC login and logout handlers where the unvalidated HTTP Host header is used to construct the OAuth2 redirect_uri. Because the redirectUri configuration is silently unset by default, an **attacker spoof the Host header** to steal OAuth authorization codes and hijack user sessions in realistic deployments as The OIDC provider will then send the authorization code to whatever domain was injected.\n\n_The OIDC specification requires redirect_uri to be pre-registered and not derived from untrusted input. Constructing it from the Host header violates this requirement and introduces a trust boundary break._\nThis risk is actively amplified by SignalK\u0027s official documentation, which instructs administrators to deploy an Nginx configuration that forwards the vulnerable Host header, exposing production environments.\n\n## Vulnerability Root Cause\n\nTwo factors combine to create this vulnerability:\n\n**Factor 1: redirectUri is optional with an unsafe fallback**\nIn types.ts:30, redirectUri is declared as optional\n```\nexport interface OIDCConfig {\n  // ...\n  redirectUri?: string   // \u2190 Optional, no default value\n  // ...\n}\n```\n\nThe defaults in types.ts:175-185 do not include a redirectUri: never checks or warns about a missing redirectUri. This means a fully \"valid\" OIDC configuration can exist without redirectUri, silently activating the vulnerable fallback path.\n```\nexport const OIDC_DEFAULTS: Omit\u003cOIDCConfig, \u0027issuer\u0027 | \u0027clientId\u0027 | \u0027clientSecret\u0027\u003e = {\n  enabled: false,\n  scope: \u0027openid email profile\u0027,\n  defaultPermission: \u0027readonly\u0027,\n  autoCreateUsers: true,\n  providerName: \u0027SSO Login\u0027,\n  autoLogin: false\n  // \u2190 No redirectUri default\n}\n```\n\n**Factor 2: Unsafe Host header usage in two locations**\nLocation 1 \u2014 Login handler in oidc-auth.ts:278-282:\n```\nconst protocol = req.secure ? \u0027https\u0027 : \u0027http\u0027\nconst host = req.get(\u0027host\u0027)                          // \u2190 Attacker-controlled\nconst redirectUri =\n  oidcConfig.redirectUri ||                            // \u2190 Only safe if explicitly set\n  `${protocol}://${host}${skAuthPrefix}/oidc/callback` // \u2190 Uses attacker\u0027s Host\n\n```\nThis redirectUri flows into createAuthState() \u2192 buildAuthorizationUrl() \u2192 OIDC provider\u0027s redirect_uri parameter. The OIDC provider will then send the authorization code to whatever domain was injected.\n\nLocation 2 \u2014 Logout handler in oidc-auth.ts:513-515:\n```\nconst protocol = req.secure ? \u0027https\u0027 : \u0027http\u0027\nconst host = req.get(\u0027host\u0027)                            // \u2190 Same pattern\nconst fullPostLogoutUri = `${protocol}://${host}${postLogoutRedirect}`\n```\nThis constructs the post_logout_redirect_uri sent to the OIDC provider\u0027s end_session_endpoint, allowing an attacker to redirect the user to an attacker controlled domain after logout.\n\n### Official Documentation Enables the Attack\n\nSignalK\u0027s own security documentation at docs/security.md:222-228 provides the recommended nginx reverse proxy configuration:\nThe proxy_set_header Host $host; directive forwards the client-supplied Host header to the backend unmodified. Without this directive, nginx would replace the Host header with the upstream address (localhost:3000), which would neutralize the injection.\n```\nlocation / {\n    proxy_pass http://localhost:3000;\n    proxy_set_header X-Forwarded-For $remote_addr;\n    proxy_set_header X-Forwarded-Proto $scheme;\n    proxy_set_header Host $host;   # \u2190 Forwards client\u0027s Host header to SignalK\n}\n```\nAdministrators who follow the official documentation are directly enabling this vulnerability behind their reverse proxy.\n\n## Proof of Concept \nTested against SignalK Server v2.23.0 in Docker with OIDC enabled .\n\n**Step 1 \u2014 Send login request with injected Host header:**\n`$response = Invoke-WebRequest -Uri \"http://localhost:3000/signalk/v1/auth/oidc/login\" -Headers @{\"Host\"=\"evil.com\"} -MaximumRedirection 0 -ErrorAction SilentlyContinue -UseBasicParsing`\n\n**Step 2: Decode and print the injected redirect URL**\n`[uri]::UnescapeDataString($response.Headers.Location)\n`\n\u003cimg width=\"1259\" height=\"211\" alt=\"Screenshot 2026-03-25 171251\" src=\"https://github.com/user-attachments/assets/6e4a9655-639e-48c2-a7f0-06e17ad471ff\" /\u003e\n\n## Impact\n\n* **Authorization Code Theft:** The OIDC provider sends the OAuth authorization code to the attacker\u0027s domain instead of the legitimate server.\n* **Session Hijack:** The attacker can exchange the stolen code for tokens and create a session as the victim user.\n* **Logout Redirect Hijack:** The logout handler has the same pattern, allowing post-logout redirection to an attacker domain (phishing opportunity).",
  "id": "GHSA-cxj8-ggf2-p57c",
  "modified": "2026-04-03T21:43:22Z",
  "published": "2026-04-03T21:43:22Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/SignalK/signalk-server/security/advisories/GHSA-cxj8-ggf2-p57c"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34083"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/SignalK/signalk-server"
    },
    {
      "type": "WEB",
      "url": "https://github.com/SignalK/signalk-server/releases/tag/v2.24.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Signal K Server: OAuth Authorization Code Theft via Unvalidated Host Header in OIDC Flow"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.