CVE-2026-39320

Signal K Server, a Node.js application that serves as a central data hub for boat instrumentation and networking, is affected by CVE-2026-39320 in versions prior to 2.25.0. The vulnerability is an unauthenticated Regular Expression Denial of Service (ReDoS) in the WebSocket subscription handling logic. Attackers can inject unescaped regex metacharacters into the `context` parameter of a stream subscription request, triggering catastrophic backtracking in the server's regex evaluation, particularly when processing long string identifiers such as the server's self UUID. This leads to a complete denial of service with CPU utilization spiking to 100%, rendering the server unresponsive. The issue is rated CVSS 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and maps to CWE-400 (Uncontrolled Resource Consumption) and CWE-1333 (Inefficient Regular Expression Complexity).

Any unauthenticated remote attacker with network access to the Signal K Server can exploit this vulnerability by sending a malicious WebSocket subscription request containing specially crafted regex metacharacters in the `context` parameter. No privileges, user interaction, or prior authentication are required, making it highly accessible over the network. Successful exploitation causes the Node.js event loop to enter a resource-intensive backtracking loop, resulting in total server unresponsiveness to all API calls and socket connections, effectively denying service to legitimate users and connected boat systems.

Mitigation is available via the patch in Signal K Server version 2.25.0, which addresses the ReDoS flaw in WebSocket handling. Security advisories and GitHub references, including GHSA-7gcj-phff-2884, the fixing commit (215d81eb700d5419c3396a0fbf23f2e246dfac2d), pull request #2568, and the v2.25.0 release notes, recommend immediate upgrading to 2.25.0 or later. Practitioners should review exposed Signal K Server instances, especially on marine networks, and apply the update promptly.