CVE-2025-69203
CVE-2025-69203 is a medium-severity vulnerability in Signalk Signal K Server with a CVSS 3.x base score of 6.3. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-290.
Key facts
- Severity: Medium (CVSS 3.x base score 6.3)
- EPSS exploit prediction: 0% (19th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2025-206135
- Weakness: CWE-290
- Affected product: Signalk Signal K Server
- Published:
- Last modified:
Description
Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19.0 of the access request system have two related features that when combined by themselves and with an information disclosure vulnerability enable convincing social engineering attacks against administrators. When a device creates an access request, it specifies three fields: `clientId`, `description`, and `permissions`. The SignalK admin UI displays the `description` field prominently to the administrator when showing pending requests, but the actual `permissions` field (which determines the access level granted) is less visible or displayed separately. This allows an attacker to request `admin` permissions while providing a description that suggests readonly access. The access request handler trusts the `X-Forwarded-For` HTTP header without validation to determine the client's IP address. This header is intended to preserve the original client IP when requests pass through reverse proxies, but when trusted unconditionally, it allows attackers to spoof their IP address. The spoofed IP is displayed to administrators in the access request approval interface, potentially making malicious requests appear to originate from trusted internal network addresses. Since device/source names can be enumerated via the information disclosure vulnerability, an attacker can impersonate a legitimate device or source, craft a convincing description, spoof a trusted internal IP address, and request elevated permissions, creating a highly convincing social engineering scenario that increases the likelihood of administrator approval. Users should upgrade to version 2.19.0 to fix this issue.
Frequently asked questions
- What is CVE-2025-69203?
- Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19.0 of the access request system have two related features that when combined by themselves and with an information disclosure vulnerability enable convincing social engineering attacks against administrators. When a device creates an access request, it specifies three fields: `clientId`, `description`, and `permissions`. The SignalK admin UI displays the `description` field prominently to the administrator when showing pending requests, but the actual `permissions` field (which determines the access level granted) is less visible or displayed separately. This allows an attacker to request `admin` permissions while providing a description that suggests readonly access. The access request handler trusts the `X-Forwarded-For` HTTP header without validation to determine the client's IP address. This header is intended to preserve the original client IP when requests pass through reverse proxies, but when trusted unconditionally, it allows attackers to spoof their IP address. The spoofed IP is displayed to administrators in the access request approval interface, potentially making malicious requests appear to originate from trusted internal network addresses. Since device/source names can be enumerated via the information disclosure vulnerability, an attacker can impersonate a legitimate device or source, craft a convincing description, spoof a trusted internal IP address, and request elevated permissions, creating a highly convincing social engineering scenario that increases the likelihood of administrator approval. Users should upgrade to version 2.19.0 to fix this issue.
- How severe is CVE-2025-69203?
- CVE-2025-69203 has a CVSS 3.x base score of 6.3, rated medium severity. It is exploitable over network with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is low, integrity low, and availability low.
- Is CVE-2025-69203 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (19th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2025-69203?
- CVE-2025-69203 primarily affects Signalk Signal K Server. In total, 5 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2025-69203?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2025-69203 have an EU (EUVD) identifier?
- Yes. CVE-2025-69203 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-206135.
- When was CVE-2025-69203 published?
- CVE-2025-69203 was published on 2026-01-01 and last updated on 2026-06-17.
References
- https://github.com/SignalK/signalk-server/releases/tag/v2.19.0
- https://github.com/SignalK/signalk-server/security/advisories/GHSA-vfrf-vcj7-wvr8
Affected products (5)
- cpe:2.3:a:signalk:signal_k_server:*:*:*:*:*:*:*:*
- cpe:2.3:a:signalk:signal_k_server:2.19.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:signalk:signal_k_server:2.19.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:signalk:signal_k_server:2.19.0:beta3:*:*:*:*:*:*
- cpe:2.3:a:signalk:signal_k_server:2.19.0:beta4:*:*:*:*:*:*
More vulnerabilities in Signalk Signal K Server
- CVE-2026-23515 — Critical (CVSS 9.9): Signal K Server is a server application that runs on a central hub in a boat. Prior to 1.5.0, a command injection…
- CVE-2025-66398 — Critical (CVSS 9.6): Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.19.0, an…
- CVE-2026-33950 — Critical (CVSS 9.4): Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.4, there is…
- CVE-2025-68620 — Critical (CVSS 9.1): Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19.0 expose two…
- CVE-2026-41893 — High (CVSS 7.5): Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.25.0, the HTTP login…
- CVE-2026-39320 — High (CVSS 7.5): Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.25.0 are vulnerable…
All CVEs affecting Signalk Signal K Server →
Other CWE-290 vulnerabilities
- CVE-2026-54782 — Critical (CVSS 10.0): CoreWCF is a port of the service side of Windows Communication Foundation (WCF) to .NET Core. Prior to 1.8.1 and 1.9.1,…
- CVE-2026-48567 — Critical (CVSS 10.0): Authentication bypass by spoofing in Azure HorizonDB allows an unauthorized attacker to elevate privileges over a…
- CVE-2026-6213 — Critical (CVSS 10.0): A vulnerability in Remote Spark SparkView before build 1122 allows an attacker to bypasses the local connection check…
- CVE-2026-39858 — Critical (CVSS 10.0): Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a high…
- CVE-2025-66570 — Critical (CVSS 10.0): cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.27.0, a vulnerability…
- CVE-2025-34063 — Critical (CVSS 10.0): A cryptographic authentication bypass vulnerability exists in OneLogin AD Connector prior to 6.1.5 due to the exposure…