Skip to main content

Signal K Server CVE-2026-41893

HIGH
Improper Restriction of Excessive Authentication Attempts (CWE-307)
2026-05-04 https://github.com/SignalK/signalk-server GHSA-vmfm-ch9h-5c7g
8.7
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Updated
May 09, 2026 - 20:30 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 09, 2026 - 20:22 vuln.today
cvss_changed
CVSS changed
May 09, 2026 - 20:22 NVD
8.7 (HIGH)
Source Code Evidence Fetched
May 04, 2026 - 21:31 vuln.today
Analysis Generated
May 04, 2026 - 21:31 vuln.today

DescriptionGitHub Advisory

Summary

The HTTP login endpoints (POST /login and POST /signalk/v1/auth/login) are protected by express-rate-limit (default: 100 attempts per 10-minute window, configurable via HTTP_RATE_LIMITS). The WebSocket login path - sending {login: {username, password}} messages over an established WebSocket connection - calls app.securityStrategy.login() directly without any rate limiting.

An attacker can bypass HTTP rate limiting entirely by opening a WebSocket connection and attempting unlimited password guesses at the speed bcrypt allows (~20 attempts/sec with 10 salt rounds).

Details

Vulnerable code: src/interfaces/ws.ts, function processLoginRequest (lines 753-780)

The function directly calls app.securityStrategy.login(msg.login.username, msg.login.password) with no throttling or attempt tracking.

Rate-limited HTTP path for comparison: src/tokensecurity.ts lines 609-617 apply loginLimiter middleware to the HTTP login routes at line 637.

Steps to Reproduce

  1. Start Signal K server with security enabled
  2. Open a WebSocket connection to ws://server:3000/signalk/v1/stream?subscribe=none
  3. Wait for the hello message
  4. Send login attempts in rapid succession:
json
   {"requestId": "1", "login": {"username": "admin", "password": "guess1"}}
   {"requestId": "2", "login": {"username": "admin", "password": "guess2"}}
  1. Observe that all attempts are processed without any 429 response or throttling
  2. For comparison, send 100+ HTTP POST requests to /signalk/v1/auth/login - the 101st returns 429

A POC script is available that demonstrates both the HTTP rate limiting working correctly and the WebSocket path accepting unlimited attempts.

Impact

  • Credential brute-forcing via the WebSocket protocol at ~20 attempts/sec (bcrypt-limited)
  • Complete bypass of the HTTP rate limiting defense
  • A single WebSocket connection is sufficient for unlimited attempts
  • With multiple parallel connections, throughput multiplies
  • A 10,000-word dictionary attack completes in ~8 minutes over a single connection

Signal K servers are commonly deployed on boat networks where they may be accessible to other devices on the same LAN.

CWE

CWE-307: Improper Restriction of Excessive Authentication Attempts

Suggested Fix

Track failed login attempts per remote IP in a shared store (or reuse the existing express-rate-limit store) that is checked in both the HTTP login middleware and the processLoginRequest WebSocket handler.

Context

Found while building an open source maritime security scanner. Verified on v2.24.0 (current master).

Discovered by Mark Curphey

AnalysisAI

Credential brute-forcing in Signal K Server versions ≤2.24.0 allows remote unauthenticated attackers to bypass HTTP login rate limiting by sending unlimited password guesses through the WebSocket authentication endpoint at approximately 20 attempts per second. The HTTP login endpoints are protected by express-rate-limit (default: 100 attempts per 10-minute window), but the WebSocket path processes login requests without any throttling, enabling dictionary attacks to complete in minutes. Publicly available exploit code exists demonstrating the bypass technique. Signal K servers are commonly deployed on boat networks where they may be accessible to other devices on the same LAN, increasing exposure risk.

Technical ContextAI

Signal K Server is an open-source data exchange protocol and server implementation for marine vessels, implemented as a Node.js application (npm package signalk-server). The vulnerability stems from inconsistent application of rate limiting middleware across different protocol interfaces. The HTTP authentication endpoints use express-rate-limit middleware to throttle login attempts, but the WebSocket interface in src/interfaces/ws.ts calls the underlying authentication function directly without passing through any rate limiting layer. The WebSocket handler processes JSON messages containing login credentials and invokes app.securityStrategy.login() synchronously, bounded only by bcrypt's computational cost (~50ms per attempt with 10 salt rounds). This represents CWE-307 (Improper Restriction of Excessive Authentication Attempts) where security controls are applied to one attack surface but not another accessing the same underlying functionality.

RemediationAI

Upgrade to Signal K Server version 2.25.0 or later, released to address this vulnerability as documented in the GitHub release notes at https://github.com/SignalK/signalk-server/releases/tag/v2.25.0. The fix implements a shared LoginRateLimiter class that enforces consistent rate limiting across both HTTP and WebSocket authentication paths, as shown in commit 215d81eb700d5419c3396a0fbf23f2e246dfac2d (https://github.com/SignalK/signalk-server/commit/215d81eb700d5419c3396a0fbf23f2e246dfac2d) and pull request #2568. If immediate patching is not feasible, implement compensating controls: configure firewall rules to restrict WebSocket endpoint access to trusted IP ranges only, enforce strong password policies to increase brute-force computational cost, enable connection-level rate limiting at the reverse proxy layer if Signal K sits behind nginx/Apache, monitor authentication logs for rapid failed login sequences from single source IPs, and consider disabling WebSocket authentication entirely if only HTTP login is required. Note that IP-based rate limiting can be circumvented by distributed attacks from multiple source addresses, so these mitigations reduce but do not eliminate risk - upgrading to 2.25.0 is the definitive remediation.

Share

CVE-2026-41893 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy