What is the CVSS score of CVE-2025-68619?

CVE-2025-68619 has a CVSS 3.1 base score of 7.2 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Node.js are affected by CVE-2025-68619?

Organizations using a boat. face moderate risk from CVE-2025-68619, a code injection vulnerability rated CVSS 7.2.. A patch is available.

Is there a public PoC exploit available for CVE-2025-68619?

Yes, a public proof-of-concept exploit is available for CVE-2025-68619. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2025-68619?

Within 7 days: Identify all affected systems running a boat. and apply vendor patches promptly. Validate that input sanitization is in place for all user-controlled parameters.

Node.js CVE-2025-68619

HIGH

Code Injection (CWE-94)

2026-01-01 security-advisories@github.com

GHSA-93jc-vqqc-vvvh

RCE Node.js Github Signal K Server

7.2

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

PoC Detected

Jan 06, 2026 - 17:57 vuln.today

Public exploit code

CVE Published

Jan 01, 2026 - 19:15 nvd

HIGH 7.2

DescriptionNVD

Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19.0 of the appstore interface allow administrators to install npm packages through a REST API endpoint. While the endpoint validates that the package name exists in the npm registry as a known plugin or webapp, the version parameter accepts arbitrary npm version specifiers including URLs. npm supports installing packages from git repositories, GitHub shorthand syntax, and HTTP/HTTPS URLs pointing to tarballs. When npm installs a package, it can automatically execute any postinstall script defined in package.json, enabling arbitrary code execution. The vulnerability exists because npm's version specifier syntax is extremely flexible, and the SignalK code passes the version parameter directly to npm without sanitization. An attacker with admin access can install a package from an attacker-controlled source containing a malicious postinstall script. Version 2.19.0 contains a patch for the issue.

AnalysisAI

Technical ContextAI

Classified as CWE-94 (Code Injection). Affects the a REST API component of Signal K Server. Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19.0 of the appstore interface allow administrators to install npm packages through a REST API endpoint. While the endpoint validates that the package name exists in the npm registry as a known plugin or webapp, the version parameter accepts arbitrary npm version specifiers including URLs. npm supports installing packages from git repositories, GitHub shorthand syntax, and HTTP/HTTPS URLs pointing t

RemediationAI

Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.

CVE-2025-68619 vulnerability details – vuln.today

Back

Node.js CVE-2025-68619

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code