GHSA-p8gp-2w28-mhwg
Suggest an improvement- Source
- https://github.com/advisories/GHSA-p8gp-2w28-mhwg
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-p8gp-2w28-mhwg/GHSA-p8gp-2w28-mhwg.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-p8gp-2w28-mhwg
- Aliases
- Published
- 2026-02-02T18:10:32Z
- Modified
- 2026-02-03T17:53:56.291736Z
- Severity
-
- 9.9 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
- Summary
- Signal K set-system-time plugin vulnerable to RCE - Command Injection
- Details
-
Summary
A Command Injection vulnerability allows authenticated users with write permissions to execute arbitrary shell commands on the Signal K server when the set-system-time plugin is enabled. Unauthenticated users can also exploit this vulnerability if security is disabled on the Signal K server. This occurs due to unsafe construction of shell commands when processing
navigation.datetimevalues received via WebSocket delta messages.Details
Product: Signal K set-system-time plugin
Repository: https://github.com/SignalK/set-system-timeFile:
index.js, lines 60-71stream.onValue(function (datetime) { var child if (process.platform == 'win32') { console.error("Set-system-time supports only linux-like os's") } else { if( ! plugin.useNetworkTime(options) ){ const useSudo = typeof options.sudo === 'undefined' || options.sudo const setDate = `date --iso-8601 -u -s "${datetime}"` // ← VULNERABLE const command = useSudo ? `if sudo -n date &> /dev/null ; then sudo ${setDate} ; else exit 3 ; fi` : setDate child = require('child_process').spawn('sh', ['-c', command]) // ← EXECUTES SHELLThe vulnerability has three components:
- Unsanitized Input: The
datetimevalue fromnavigation.datetimeSignal K path is directly interpolated into a shell command without validation - Shell Execution: The command is executed via
spawn('sh', ['-c', command]), which interprets shell metacharacters - Sudo Privileges: The plugin can execute with root privileges if
sudois misconfigured, instructions to limit passwordless sudo to the /bin/date binary helps mitigate this but RCE can still be achieved with the privileges of the user that installed it.
PoC
Exploitation Requirements
- Signal K server with security enabled, if disabled credentials not required
- Valid user credentials with
readwriteoradminpermissions - set-system-time plugin installed and enabled
- Signal K server installed on a Linux OS
- Passwordless sudo configured, official instructions will do this for the
datecommand which is enough to satisfy the if condition""" Run provided POC: python3 poc.py --host signalkserver_IP -u username -p password Payload: Creates /tmp/signalk-RCE.txt to prove code execution """
Impact
An attacker that has write privileges either through security on the Signal K server being disabled or valid credentials with read/write permissions can execute arbitrary commands on the server with the privileges of the SignalK process or root if sudo is misconfigured. This enables complete system compromise.
Recommendations
Replace shell-based execution with child_process.execFile() so user-controlled input is passed as arguments rather than interpreted by a shell.
Validate that navigation.datetime conforms to an expected ISO-8601 format to improve robustness.
- Unsanitized Input: The
- Database specific
{ "nvd_published_at": "2026-02-02T23:16:07Z", "cwe_ids": [ "CWE-78" ], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2026-02-02T18:10:32Z" }- References
Affected packages
npm / @signalk/set-system-time
Package
- Name
- @signalk/set-system-time
- View open source insights on deps.dev
- Purl
- pkg:npm/%40signalk/set-system-time