GHSA-GFMV-VH34-H2X5

Vulnerability from github – Published: 2026-04-03 21:42 – Updated: 2026-04-06 23:13
VLAI?
Summary
Signal K Server: Unauthenticated Source Priorities Manipulation
Details

Summary

The SignalK Server exposes an unauthenticated HTTP endpoint that allows remote attackers to modify navigation data source priorities. This endpoint, accessible via PUT /signalk/v1/api/sourcePriorities, does not enforce authentication or authorization checks and directly assigns user-controlled input to the server configuration.

As a result, attackers can influence which GPS, AIS, or other sensor data sources are trusted by the system. The changes are immediately applied and persisted to disk, allowing the manipulation to survive server restarts.

Affected Component

  • File: src/serverroutes.ts
  • Endpoint: PUT /signalk/v1/api/sourcePriorities (also accessible at /skServer/sourcePriorities)
  • Lines: 1064-1076
  • Function: Source priorities configuration handler

Vulnerable Code

// src/serverroutes.ts - Lines 1064-1076
app.put(
  `${SERVERROUTESPREFIX}/sourcePriorities`,
  (req: Request, res: Response) => {
    app.config.settings.sourcePriorities = req.body
    app.activateSourcePriorities()
    writeSettingsFile(app, app.config.settings, (err: any) => {
      if (err) {
        res
          .status(500)
          .send('Unable to save to sourcePrefences in settings file')
      } else {
        res.json({ result: 'ok' })
      }
    })
  }
)

Vulnerability Characteristics

Missing Authentication: The endpoint has zero authentication middleware, allowing unauthenticated access from any network-adjacent attacker.

Direct Configuration Assignment: User-supplied request body is directly assigned to app.config.settings.sourcePriorities without validation or sanitization.

Persistent Storage: Malicious configuration is written to disk via writeSettingsFile(), ensuring changes survive server restarts. Live Configuration Update: Changes take effect immediately via activateSourcePriorities(), affecting live navigation data processing.

No Input Validation: No JSON schema validation, type checking, or field allowlisting is performed on the request body.

Impact

  • Navigation Data Manipulation: Attackers can modify source priorities to change which existing, active source's data is being used
Severity ?
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
6.9 (Medium)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "signalk-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.24.0-beta.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33951"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-306"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-03T21:42:11Z",
    "nvd_published_at": "2026-04-02T17:16:23Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThe SignalK Server exposes an unauthenticated HTTP endpoint that allows remote attackers to modify navigation data source priorities. This endpoint, accessible via `PUT /signalk/v1/api/sourcePriorities`, does not enforce authentication or authorization checks and directly assigns user-controlled input to the server configuration.\n\nAs a result, attackers can influence which GPS, AIS, or other sensor data sources are trusted by the system. The changes are immediately applied and persisted to disk, allowing the manipulation to survive server restarts.\n\n### Affected Component\n- **File**: `src/serverroutes.ts`\n- **Endpoint**: `PUT /signalk/v1/api/sourcePriorities` (also accessible at `/skServer/sourcePriorities`)\n- **Lines**: 1064-1076\n- **Function**: Source priorities configuration handler\n\n### Vulnerable Code\n\n```typescript\n// src/serverroutes.ts - Lines 1064-1076\napp.put(\n  `${SERVERROUTESPREFIX}/sourcePriorities`,\n  (req: Request, res: Response) =\u003e {\n    app.config.settings.sourcePriorities = req.body\n    app.activateSourcePriorities()\n    writeSettingsFile(app, app.config.settings, (err: any) =\u003e {\n      if (err) {\n        res\n          .status(500)\n          .send(\u0027Unable to save to sourcePrefences in settings file\u0027)\n      } else {\n        res.json({ result: \u0027ok\u0027 })\n      }\n    })\n  }\n)\n```\n## Vulnerability Characteristics\n\n**Missing Authentication**: The endpoint has zero authentication middleware, allowing unauthenticated access from any network-adjacent attacker.\n\n**Direct Configuration Assignment**: User-supplied request body is directly assigned to app.config.settings.sourcePriorities without validation or sanitization.\n\n**Persistent Storage**: Malicious configuration is written to disk via writeSettingsFile(), ensuring changes survive server restarts.\n**Live Configuration Update**: Changes take effect immediately via activateSourcePriorities(), affecting live navigation data processing.\n\n**No Input Validation**: No JSON schema validation, type checking, or field allowlisting is performed on the request body.\n\n## Impact\n- **Navigation Data Manipulation**: Attackers can modify source priorities to change which existing, active source\u0027s data is being used",
  "id": "GHSA-gfmv-vh34-h2x5",
  "modified": "2026-04-06T23:13:11Z",
  "published": "2026-04-03T21:42:11Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/SignalK/signalk-server/security/advisories/GHSA-gfmv-vh34-h2x5"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33951"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/SignalK/signalk-server"
    },
    {
      "type": "WEB",
      "url": "https://github.com/SignalK/signalk-server/releases/tag/v2.24.0-beta.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Signal K Server: Unauthenticated Source Priorities Manipulation "
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.