CVE-2025-68620 | Signal K Server vulnerable to JWT Token Theft via WebSocket Enumeration and Unauthenticated Polling

Exp

Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19.0 expose two features that can be chained together to steal JWT authentication tokens without any prior authentication. The attack combines WebSocket-based request enumeration with unauthenticated polling of access request status. The first is Unauthenticated WebSocket Request Enumeration: When a WebSocket client connects to the SignalK stream endpoint with the `serverevents=all` query parameter, the server sends all cached server events including `ACCESS_REQUEST` events that contain details about pending access requests. The `startServerEvents` function iterates over `app.lastServerEvents` and writes each cached event to any connected client without verifying authorization level. Since WebSocket connections are allowed for readonly users (which includes unauthenticated users when `allow_readonly` is true), attackers receive these events containing request IDs, client identifiers, descriptions, requested permissions, and IP addresses. The second is Unauthenticated Token Polling: The access request status endpoint at `/signalk/v1/access/requests/:id` returns the full state of an access request without requiring authentication. When an administrator approves a request, the response includes the issued JWT token in plaintext. The `queryRequest` function returns the complete request object including the token field, and the REST endpoint uses readonly authentication, allowing unauthenticated access. An attacker has two paths to exploit these vulnerabilities. Either the attacker creates their own access request (using the IP spoofing vulnerability to craft a convincing spoofed request), then polls their own request ID until an administrator approves it, receiving the JWT token; or the attacker passively monitors the WebSocket stream to discover request IDs from legitimate devices, then polls those IDs and steals the JWT tokens when administrators approve them, hijacking legitimate device credentials. Both paths require zero authentication and enable complete authentication bypass. Version 2.19.0 fixes the underlying issues.

Published: 2026-01-01 Last update: 2026-01-06 Assigner: [email protected] Source: [email protected]
NVD Status:AnalyzedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2025-68620 is rated Exploit Available (57.9/100): CVSS Critical severity, with low exploitation likelihood (EPSS 0.06%). 1 public exploit reference(s) are indexed (Exploit-DB). Public exploits are available—assess exposure, apply mitigations, and prioritize patching.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Public exploit references (Exploit-DB) for CVE-2025-68620

EDB-ID Source Kind Published Link
nvd_ref exploit_tag Exploit-DB ↗

Exploit prediction scoring system (EPSS) score for CVE-2025-68620

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-02-18 0.18% 0.06% -0.12%
2 2026-02-12 0.12% 0.18% +0.06%
3 2026-01-07 0.12%

Full EPSS history (4 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2025-68620

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
9.1 3.1 CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:N)
Service keeps running; no real outage angle.
 3.9 5.2 [email protected]

Weakness enumeration for CVE-2025-68620

GitHub Security Advisory for CVE-2025-68620

GHSA-fq56-hvg6-wvm5 · Severity: critical · Ecosystem: npm — Signal K Server vulnerable to JWT Token Theft via WebSocket Enumeration and Unauthenticated Polling

Affected software / configurations for CVE-2025-68620

Vendor Product Version Raw CPE
signalk signal_k_server < 2.19.0 cpe:2.3:a:signalk:signal_k_server:*:*:*:*:*:*:*:*
signalk signal_k_server 2.19.0 cpe:2.3:a:signalk:signal_k_server:2.19.0:beta1:*:*:*:*:*:*
signalk signal_k_server 2.19.0 cpe:2.3:a:signalk:signal_k_server:2.19.0:beta2:*:*:*:*:*:*
signalk signal_k_server 2.19.0 cpe:2.3:a:signalk:signal_k_server:2.19.0:beta3:*:*:*:*:*:*
signalk signal_k_server 2.19.0 cpe:2.3:a:signalk:signal_k_server:2.19.0:beta4:*:*:*:*:*:*

References for CVE-2025-68620

cvelogic Threat Intelligence