How to fix CVE-2025-66398?

Within 24 hours: Identify all affected systems running a boat. and apply vendor patches immediately. Validate that input sanitization is in place for all user-controlled parameters.

Is Signal K Server affected by CVE-2025-66398?

Organizations using a boat. face critical risk from CVE-2025-66398, a OS command injection vulnerability rated CVSS 9.6. Successful exploitation could allow attackers to execute arbitrary code or commands on affected systems, potentially leading to full system compromise.

CVE-2025-66398

CRITICAL

2026-01-01 [email protected]

GHSA-w3x5-7c4c-66p9

9.6

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch Released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

PoC Detected

Jan 06, 2026 - 18:34 vuln.today

Public exploit code

CVE Published

Jan 01, 2026 - 18:15 nvd

CRITICAL 9.6

Description

Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.19.0, an unauthenticated attacker can pollute the internal state (`restoreFilePath`) of the server via the `/skServer/validateBackup` endpoint. This allows the attacker to hijack the administrator's "Restore" functionality to overwrite critical server configuration files (e.g., `security.json`, `package.json`), leading to account takeover and Remote Code Execution (RCE). Version 2.19.0 patches this vulnerability.

Analysis

Signal K Server (for boats) before 2.19.0 allows unauthenticated attackers to hijack the backup restore function by polluting the internal restoreFilePath state via the /validateBackup endpoint. This enables overwriting security.json and other critical files to achieve OS command injection.

Technical Context

The /skServer/validateBackup endpoint is unauthenticated and can modify the server's internal restoreFilePath state (CWE-78). An attacker sets restoreFilePath to point to a malicious backup archive, then when an admin triggers 'Restore', the server overwrites security.json (disabling authentication), package.json, or other critical files.

Affected Products

Signal K Server before 2.19.0

Remediation

Update to Signal K Server 2.19.0 or later. Restrict server access to trusted networks. Do not expose boat systems directly to the internet.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +48

POC: +20

CVE-2025-66398 vulnerability details – vuln.today

Back

CVE-2025-66398

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-66398

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code