CVE-2025-68620
Published: 01 January 2026
Summary
CVE-2025-68620 is a critical-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Signalk Signal K Server. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations before disclosing sensitive ACCESS_REQUEST events and JWT tokens via unauthenticated WebSocket streams and REST polling endpoints.
Explicitly limits and documents actions permitted without identification or authentication, preventing exposure of access request details and tokens to unauthenticated users.
Applies least privilege to restrict readonly access for unauthenticated users, blocking enumeration and theft of JWT tokens from legitimate access requests.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability directly enables unauthenticated exploitation of a public-facing server (T1190) to enumerate and poll access requests, resulting in theft of JWT application access tokens (T1528).
NVD Description
Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19.0 expose two features that can be chained together to steal JWT authentication tokens without any prior authentication. The attack combines…
more
WebSocket-based request enumeration with unauthenticated polling of access request status. The first is Unauthenticated WebSocket Request Enumeration: When a WebSocket client connects to the SignalK stream endpoint with the `serverevents=all` query parameter, the server sends all cached server events including `ACCESS_REQUEST` events that contain details about pending access requests. The `startServerEvents` function iterates over `app.lastServerEvents` and writes each cached event to any connected client without verifying authorization level. Since WebSocket connections are allowed for readonly users (which includes unauthenticated users when `allow_readonly` is true), attackers receive these events containing request IDs, client identifiers, descriptions, requested permissions, and IP addresses. The second is Unauthenticated Token Polling: The access request status endpoint at `/signalk/v1/access/requests/:id` returns the full state of an access request without requiring authentication. When an administrator approves a request, the response includes the issued JWT token in plaintext. The `queryRequest` function returns the complete request object including the token field, and the REST endpoint uses readonly authentication, allowing unauthenticated access. An attacker has two paths to exploit these vulnerabilities. Either the attacker creates their own access request (using the IP spoofing vulnerability to craft a convincing spoofed request), then polls their own request ID until an administrator approves it, receiving the JWT token; or the attacker passively monitors the WebSocket stream to discover request IDs from legitimate devices, then polls those IDs and steals the JWT tokens when administrators approve them, hijacking legitimate device credentials. Both paths require zero authentication and enable complete authentication bypass. Version 2.19.0 fixes the underlying issues.
Deeper analysisAI
CVE-2025-68620 affects Signal K Server, a server application running on central hubs in boats, in versions prior to 2.19.0. The vulnerability (CVSS 9.1, AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N; CWE-288) arises from two chainable features that enable theft of JWT authentication tokens without prior authentication. The first is unauthenticated WebSocket request enumeration: connecting to the Signal K stream endpoint with the `serverevents=all` query parameter causes the server to send all cached server events, including `ACCESS_REQUEST` events with request IDs, client identifiers, descriptions, permissions, and IP addresses, due to the `startServerEvents` function iterating over `app.lastServerEvents` without authorization checks. WebSocket connections are permitted for readonly users, including unauthenticated ones when `allow_readonly` is true. The second is unauthenticated token polling: the `/signalk/v1/access/requests/:id` endpoint returns the full access request state, including issued JWT tokens in plaintext upon approval, as the `queryRequest` function exposes the complete object and the endpoint requires only readonly authentication.
Unauthenticated attackers with network access to the server can exploit this in two ways. They can create their own access request—potentially spoofing it convincingly via a separate IP spoofing vulnerability—then poll the request ID until an administrator approves it, receiving the JWT token directly. Alternatively, attackers can passively monitor the WebSocket stream for `ACCESS_REQUEST` events from legitimate devices, harvest the request IDs, and poll those endpoints to steal JWT tokens when approvals occur, hijacking the credentials of legitimate devices. Both paths require zero authentication and enable complete authentication bypass, granting high confidentiality and integrity impact.
The Signal K Server release notes for version 2.19.0 and the associated security advisory (GHSA-fq56-hvg6-wvm5) confirm that the issues are fixed in this version by addressing the unauthorized exposure of server events and access request details. Security practitioners should upgrade to 2.19.0 or later and review configurations like `allow_readonly` to limit exposure until patching is complete.
Details
- CWE(s)