Description
Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.25.0 are vulnerable to an unauthenticated Regular Expression Denial of Service (ReDoS) attack within the WebSocket subscription handling logic. By injecting unescaped regex metacharacters into the `context` parameter of a stream subscription, an attacker can force the server's Node.js event loop into a catastrophic backtracking loop when evaluating long string identifiers (like the server's self UUID). This results in a total Denial of Service (DoS) where the server CPU spikes to 100% and becomes completely unresponsive to further API or socket requests. Version 2.25.0 contains a fix.
Published: 2026-04-21
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

Signal K Server contains a regular expression denial‑of‑service flaw that allows an unauthenticated attacker to inject unescaped regex metacharacters into the context parameter of a WebSocket subscription. The injected characters cause the Node.js event loop to perform catastrophic backtracking against long identifiers such as the server’s own UUID, resulting in CPU saturation and a total denial of service to all further API and socket requests.

Affected Systems

The vulnerability affects the Signal K Server application provided by SignalK (signalk-server). All releases earlier than version 2.25.0 are impacted; version 2.25.0 and later contain the fix.

Risk and Exploitability

With a CVSS score of 7.5 the vulnerability is considered high severity, but the EPSS score is reported as less than 1% and the issue is not listed in the CISA KEV catalog, indicating no publicly known exploitation yet. The likely attack vector is remote, as any entity that can connect to the server’s WebSocket endpoint can craft a malicious subscription path without authentication. Once triggered, the server’s CPU can reach 100 % and the process becomes completely unresponsive to additional traffic.

Generated by OpenCVE AI on April 22, 2026 at 03:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Release 2.25.0 or later, which patches the Regular Expression Denial of Service (CWE‑1333) by sanitizing the context parameter in WebSocket subscriptions.
  • For systems that cannot upgrade immediately, enforce strict input validation to escape or reject regex metacharacters, thereby mitigating CWE‑1333 and preventing excessive resource consumption described by CWE‑400.
  • Restrict WebSocket subscription access to authenticated or trusted clients and enforce request rate‑limiting or CPU‑usage monitoring to prevent the server from reaching 100 % CPU and a full denial of service.

Generated by OpenCVE AI on April 22, 2026 at 03:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-7gcj-phff-2884 Signal K Server has an Unauthenticated Regular Expression Denial of Service (ReDoS) via WebSocket Subscription Paths
History

Fri, 24 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Signalk signal K Server
CPEs cpe:2.3:a:signalk:signal_k_server:*:*:*:*:*:*:*:*
Vendors & Products Signalk signal K Server

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 02:45:00 +0000

Type Values Removed Values Added
First Time appeared Signalk
Signalk signalk-server
Vendors & Products Signalk
Signalk signalk-server

Tue, 21 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Description Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.25.0 are vulnerable to an unauthenticated Regular Expression Denial of Service (ReDoS) attack within the WebSocket subscription handling logic. By injecting unescaped regex metacharacters into the `context` parameter of a stream subscription, an attacker can force the server's Node.js event loop into a catastrophic backtracking loop when evaluating long string identifiers (like the server's self UUID). This results in a total Denial of Service (DoS) where the server CPU spikes to 100% and becomes completely unresponsive to further API or socket requests. Version 2.25.0 contains a fix.
Title Signal K Server has an Unauthenticated Regular Expression Denial of Service (ReDoS) via WebSocket Subscription Paths
Weaknesses CWE-1333
CWE-400
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Signalk Signal K Server Signalk-server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-21T19:36:54.787Z

Reserved: 2026-04-06T19:31:07.266Z

Link: CVE-2026-39320

cve-icon Vulnrichment

Updated: 2026-04-21T19:36:52.069Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-21T01:16:05.063

Modified: 2026-04-24T20:51:54.230

Link: CVE-2026-39320

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T03:30:06Z

Weaknesses