Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionGitHub Advisory
Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0, there is an arbitrary prototype read vulnerability via from field bypass. This vulnerability allows a low-privileged authenticated user to bypass prototype boundary filtering to extract internal functions and properties from the global prototype object this violates data isolation and lets a user read more than they should. This issue has been patched in version 2.24.0.
AnalysisAI
Signal K Server prior to version 2.24.0 permits low-privileged authenticated users to bypass prototype boundary filtering via a malformed from field, enabling arbitrary read access to internal functions and properties in the global prototype object. This confidentiality breach violates data isolation within the Signal K application and allows attackers to extract sensitive internal state they should not access. The vulnerability requires prior authentication and has been patched in version 2.24.0.
Technical ContextAI
Signal K Server is a standardized marine data platform that centralizes sensor and system data on a boat's hub. The vulnerability exploits improper input validation (CWE-20: Improper Input Validation) in the from field handling mechanism that is meant to enforce prototype boundary filtering-a security control to isolate user access to only authorized prototype properties. By crafting a malicious from field value, an authenticated user can circumvent this boundary check and access the JavaScript global prototype object's internal functions and properties, which should be restricted. This is a classic prototype pollution reconnaissance technique where the attacker gains visibility into system internals without modifying them. The CPE cpe:2.3:a:signalk:signalk-server:*:*:*:*:*:*:*:* indicates all versions of the Signal K Server application are in scope until the patched version.
RemediationAI
Vendor-released patch: upgrade to Signal K Server version 2.24.0 or later. This patch restores proper prototype boundary filtering and eliminates the from field bypass. Users running versions prior to 2.24.0 should prioritize this upgrade immediately. No interim workaround has been documented; patch application is the primary remediation. Reference the official advisory at https://github.com/SignalK/signalk-server/security/advisories/GHSA-qh3j-mrg8-f234 for deployment guidance and confirmation of patched versions.
More in Signalk Server
View allUnauthenticated privilege escalation in SignalK Server (versions prior to 2.24.0-beta.4) allows remote attackers to inje
SignalK Server prior to version 2.24.0-beta.1 allows unauthenticated remote attackers to modify navigation data source p
SignalK Server versions prior to 2.24.0 allow unauthenticated attackers to hijack OAuth2 sessions and steal authorizatio
Same weakness CWE-20 – Improper Input Validation
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18396
GHSA-qh3j-mrg8-f234