What is the CVSS score of CVE-2025-66398?

CVE-2025-66398 has a CVSS 3.1 base score of 9.6 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Signal K Server are affected by CVE-2025-66398?

Organizations using a boat. face critical risk from CVE-2025-66398, a OS command injection vulnerability rated CVSS 9.6.. A patch is available.

Is there a public PoC exploit available for CVE-2025-66398?

Yes, a public proof-of-concept exploit is available for CVE-2025-66398. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2025-66398?

Within 24 hours: Identify all affected systems running a boat. and apply vendor patches immediately. Validate that input sanitization is in place for all user-controlled parameters.

Signal K Server CVE-2025-66398

CRITICAL

OS Command Injection (CWE-78)

2026-01-01 security-advisories@github.com

GHSA-w3x5-7c4c-66p9

RCE Signal K Server

9.6

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

9.6 CRITICAL

AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

PoC Detected

Jan 06, 2026 - 18:34 vuln.today

Public exploit code

CVE Published

Jan 01, 2026 - 18:15 nvd

CRITICAL 9.6

DescriptionGitHub Advisory

Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.19.0, an unauthenticated attacker can pollute the internal state (restoreFilePath) of the server via the /skServer/validateBackup endpoint. This allows the attacker to hijack the administrator's "Restore" functionality to overwrite critical server configuration files (e.g., security.json, package.json), leading to account takeover and Remote Code Execution (RCE). Version 2.19.0 patches this vulnerability.

AnalysisAI

Signal K Server (for boats) before 2.19.0 allows unauthenticated attackers to hijack the backup restore function by polluting the internal restoreFilePath state via the /validateBackup endpoint. This enables overwriting security.json and other critical files to achieve OS command injection.

Technical ContextAI

The /skServer/validateBackup endpoint is unauthenticated and can modify the server's internal restoreFilePath state (CWE-78). An attacker sets restoreFilePath to point to a malicious backup archive, then when an admin triggers 'Restore', the server overwrites security.json (disabling authentication), package.json, or other critical files.

RemediationAI

Update to Signal K Server 2.19.0 or later. Restrict server access to trusted networks. Do not expose boat systems directly to the internet.

CVE-2025-66398 vulnerability details – vuln.today

Back

Signal K Server CVE-2025-66398

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code