Signal K Server: OAuth Authorization Code Theft via Unvalidated Host Header in OIDC Flow

Description

Summary

SignalK Server contains a code-level vulnerability in its OIDC login and logout handlers where the unvalidated HTTP Host header is used to construct the OAuth2 redirect_uri. Because the redirectUri configuration is silently unset by default, an attacker spoof the Host header to steal OAuth authorization codes and hijack user sessions in realistic deployments as The OIDC provider will then send the authorization code to whatever domain was injected.

The OIDC specification requires redirect_uri to be pre-registered and not derived from untrusted input. Constructing it from the Host header violates this requirement and introduces a trust boundary break.
This risk is actively amplified by SignalK's official documentation, which instructs administrators to deploy an Nginx configuration that forwards the vulnerable Host header, exposing production environments.

Vulnerability Root Cause

Two factors combine to create this vulnerability:

Factor 1: redirectUri is optional with an unsafe fallback
In types.ts:30, redirectUri is declared as optional

export interface OIDCConfig {
  // ...
  redirectUri?: string   // ← Optional, no default value
  // ...
}

The defaults in types.ts:175-185 do not include a redirectUri: never checks or warns about a missing redirectUri. This means a fully "valid" OIDC configuration can exist without redirectUri, silently activating the vulnerable fallback path.

export const OIDC_DEFAULTS: Omit<OIDCConfig, 'issuer' | 'clientId' | 'clientSecret'> = {
  enabled: false,
  scope: 'openid email profile',
  defaultPermission: 'readonly',
  autoCreateUsers: true,
  providerName: 'SSO Login',
  autoLogin: false
  // ← No redirectUri default
}

Factor 2: Unsafe Host header usage in two locations
Location 1 — Login handler in oidc-auth.ts:278-282:

const protocol = req.secure ? 'https' : 'http'
const host = req.get('host')                          // ← Attacker-controlled
const redirectUri =
  oidcConfig.redirectUri ||                            // ← Only safe if explicitly set
  `${protocol}://${host}${skAuthPrefix}/oidc/callback` // ← Uses attacker's Host

This redirectUri flows into createAuthState() → buildAuthorizationUrl() → OIDC provider's redirect_uri parameter. The OIDC provider will then send the authorization code to whatever domain was injected.

Location 2 — Logout handler in oidc-auth.ts:513-515:

const protocol = req.secure ? 'https' : 'http'
const host = req.get('host')                            // ← Same pattern
const fullPostLogoutUri = `${protocol}://${host}${postLogoutRedirect}`

This constructs the post_logout_redirect_uri sent to the OIDC provider's end_session_endpoint, allowing an attacker to redirect the user to an attacker controlled domain after logout.

Official Documentation Enables the Attack

SignalK's own security documentation at docs/security.md:222-228 provides the recommended nginx reverse proxy configuration:
The proxy_set_header Host $host; directive forwards the client-supplied Host header to the backend unmodified. Without this directive, nginx would replace the Host header with the upstream address (localhost:3000), which would neutralize the injection.

location / {
    proxy_pass http://localhost:3000;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header Host $host;   # ← Forwards client's Host header to SignalK
}

Administrators who follow the official documentation are directly enabling this vulnerability behind their reverse proxy.

Proof of Concept

Tested against SignalK Server v2.23.0 in Docker with OIDC enabled .

Step 1 — Send login request with injected Host header:
$response = Invoke-WebRequest -Uri "http://localhost:3000/signalk/v1/auth/oidc/login" -Headers @{"Host"="evil.com"} -MaximumRedirection 0 -ErrorAction SilentlyContinue -UseBasicParsing

Step 2: Decode and print the injected redirect URL
[uri]::UnescapeDataString($response.Headers.Location)
<img width="1259" height="211" alt="Screenshot 2026-03-25 171251" src="https://github.com/user-attachments/assets/6e4a9655-639e-48c2-a7f0-06e17ad471ff" />

Impact

  • Authorization Code Theft: The OIDC provider sends the OAuth authorization code to the attacker's domain instead of the legitimate server.
  • Session Hijack: The attacker can exchange the stolen code for tokens and create a session as the victim user.
  • Logout Redirect Hijack: The logout handler has the same pattern, allowing post-logout redirection to an attacker domain (phishing opportunity).

Basic information

Type
reviewed
Severity
medium
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2026-04-03 21:43:22 UTC
Updated
2026-04-03 21:43:24 UTC
GitHub reviewed
2026-04-03 21:43:22 UTC
NVD published
2026-04-02

EPSS Score

Score Percentile
0.01% 3.00%

CVSS Scores

Base score Version Severity Vector
6.1 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:R)
A real person has to do something—click, install, enable—otherwise it doesn’t land.
Scope (S:C)
Breaking this can reach past the original component and bite other resources—bigger blast radius.
Confidentiality (C:L)
Some sensitive info could get out, but not a total data dump.
Integrity (I:L)
Attackers could change some data, but it’s limited—not everything goes.
Availability (A:N)
Service keeps running; no real outage angle.

Identifiers

CWEs

CWE id Name
CWE-346 Origin Validation Error
CWE-601 URL Redirection to Untrusted Site ('Open Redirect')

Credits

  • VashuVats (reporter)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
npm signalk-server >= 2.20.0, < 2.24.0 2.24.0

References

cvelogic Threat Intelligence