Home > Vulnerability Database > CVE-2025-66398

Mend.io Vulnerability Database

CVE-2025-66398

Good to know:

Date: January 1, 2026

Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.19.0, an unauthenticated attacker can pollute the internal state ("restoreFilePath") of the server via the "/skServer/validateBackup" endpoint. This allows the attacker to hijack the administrator's "Restore" functionality to overwrite critical server configuration files (e.g., "security.json", "package.json"), leading to account takeover and Remote Code Execution (RCE). Version 2.19.0 patches this vulnerability.

Severity Score

9.6

Related Resources (6)

Url: https://github.com/SignalK/signalk-server/commit/5c211eaf33f0ccadbaed6720264780d92afbd7f8

Url: https://github.com/SignalK/signalk-server

Url: https://github.com/SignalK/signalk-server/releases/tag/v2.19.0

Url: https://github.com/SignalK/signalk-server/security/advisories/GHSA-w3x5-7c4c-66p9

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-66398

Url: https://www.mend.io/vulnerability-database/CVE-2025-66398

Severity Score

9.6

Weakness Type (CWE)

Improper Control of Dynamically-Managed Code Resources

CWE-913

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-78

Top Fix

Upgrade Version

Upgrade to version signalk-server - 2.19.0;https://github.com/SignalK/signalk-server.git - v2.19.0

Learn More

CVSS v3.1

Base Score:	9.6
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2025-66398

Good to know:

Date: January 1, 2026

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?