CVE-2025-68619

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-68619
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-68619.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-68619
Aliases
Published
2026-01-01T18:35:19.982Z
Modified
2026-01-08T05:37:43.339830Z
Severity
  • 7.3 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
Signal K Server Vulnerable to Remote Code Execution via Malicious npm Package
Details

Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19.0 of the appstore interface allow administrators to install npm packages through a REST API endpoint. While the endpoint validates that the package name exists in the npm registry as a known plugin or webapp, the version parameter accepts arbitrary npm version specifiers including URLs. npm supports installing packages from git repositories, GitHub shorthand syntax, and HTTP/HTTPS URLs pointing to tarballs. When npm installs a package, it can automatically execute any postinstall script defined in package.json, enabling arbitrary code execution. The vulnerability exists because npm's version specifier syntax is extremely flexible, and the SignalK code passes the version parameter directly to npm without sanitization. An attacker with admin access can install a package from an attacker-controlled source containing a malicious postinstall script. Version 2.19.0 contains a patch for the issue.

Database specific 
{
    "cwe_ids": [
        "CWE-94"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68619.json"
}
References

Affected packages

Git / github.com/signalk/signalk-server

Affected ranges

Type
GIT
Repo
https://github.com/signalk/signalk-server
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
3037c517bb8de70c4b74b61192c57d6176731571

Affected versions

0.*
0.1.1
0.1.10
0.1.11
0.1.12
0.1.13
0.1.18
0.1.19
0.1.2
0.1.3
0.1.4
0.1.5
0.1.6
0.1.7
0.1.8
0.1.9
Other
latest
v0.*
v0.1.24
v0.1.26
v0.1.27
v0.1.28
v0.1.29
v0.1.30
v0.1.33
v1.*
v1.0.0
v1.0.0-0
v1.0.0-1
v1.0.0-2
v1.0.0-3
v1.0.0-4
v1.1.0
v1.1.1
v1.1.2
v1.10.0
v1.10.1
v1.10.2
v1.12.0
v1.13.0
v1.13.1
v1.14.0
v1.15.0
v1.16.0
v1.17.0
v1.18.0
v1.19.0
v1.19.0-beta.2
v1.2.0
v1.2.1
v1.2.2
v1.2.3
v1.2.4
v1.20.0
v1.21.0
v1.22.0
v1.23.0
v1.24.0
v1.25.0
v1.26.0
v1.27.0
v1.27.1
v1.28.0
v1.29.0
v1.3.0
v1.30.0
v1.31.0
v1.32.0
v1.32.0-beta.1
v1.32.0-beta.2
v1.32.0-beta.3
v1.33.0
v1.33.0-beta.1
v1.34.0
v1.35.0
v1.35.1
v1.35.2
v1.36.0
v1.36.0-beta.1
v1.36.0-beta.2
v1.36.0-beta.3
v1.37.0
v1.37.0-beta.1
v1.37.0-beta.3
v1.37.1
v1.37.2
v1.37.3
v1.37.4
v1.37.5
v1.37.6
v1.38.0
v1.38.1
v1.39.0
v1.4.0
v1.4.1
v1.4.2
v1.4.3
v1.40.0
v1.41.0
v1.41.0-beta.1
v1.41.0-beta.2
v1.41.0-beta.3
v1.41.0-beta.4
v1.41.1
v1.41.2
v1.41.3
v1.42.0
v1.43.0
v1.44.0
v1.45.0
v1.46.0
v1.46.1
v1.46.2
v1.46.3
v1.5.0
v1.6.0
v1.7.0
v1.7.1
v1.8.0
v1.9.0
v1.9.1
v2.*
v2.0.0
v2.0.0-beta.10
v2.0.0-beta.11
v2.0.0-beta.12
v2.0.0-beta.2
v2.0.0-beta.3
v2.0.0-beta.4
v2.0.0-beta.5
v2.0.0-beta.6
v2.0.0-beta.7
v2.0.0-beta.8
v2.0.0-beta.9
v2.1.0
v2.1.1
v2.10.0
v2.11.0
v2.12.0
v2.13.0
v2.13.0-beta.0
v2.13.0-beta.1
v2.13.0-beta.2
v2.13.0-beta.3
v2.13.1
v2.13.2
v2.13.3
v2.13.4
v2.13.5
v2.14.0
v2.14.0-beta.0
v2.14.0-beta.1
v2.14.1
v2.14.2
v2.14.3
v2.14.4
v2.15.0
v2.15.0-beta.5
v2.15.0-beta.6
v2.15.1
v2.15.2
v2.15.3
v2.16.0
v2.17.0
v2.17.1
v2.17.2
v2.18.0
v2.19.0-beta.1
v2.19.0-beta.2
v2.19.0-beta.3
v2.19.0-beta.4
v2.19.0-beta.5
v2.2.0
v2.3.0
v2.3.1
v2.4.1
v2.5.0
v2.6.0
v2.6.1
v2.6.2
v2.7.0
v2.7.1
v2.7.2
v2.8.0
v2.8.1
v2.8.2
v2.8.3
v2.9.0

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-68619.json"