SignalK signalk-server is a server application deployed on central hubs in boats to manage marine data and applications. Versions prior to 2.19.0 include a REST API endpoint that allows administrators to install npm packages by specifying a package name and version. While the package name is validated against the npm registry to ensure it is a known plugin or webapp, the version parameter is not sanitized and accepts arbitrary npm version specifiers, including URLs, GitHub shorthand, and git repositories. npm's flexible version syntax allows installation from remote sources, and critically, npm executes any postinstall scripts defined in the package's package.json automatically during installation. This behavior enables an attacker with administrative access to supply a malicious package from an attacker-controlled source containing a harmful postinstall script, resulting in arbitrary code execution on the signalk-server host. This vulnerability is classified as CWE-94 (Improper Control of Generation of Code) and has a CVSS 4.0 score of 7.3 (high severity), reflecting network attack vector, low attack complexity, no user interaction, and high impacts on confidentiality, integrity, and availability. The vulnerability was patched in version 2.19.0 by sanitizing or restricting the version parameter to prevent arbitrary code execution. No known exploits are currently reported in the wild. The threat is significant because it allows an attacker with admin privileges to fully compromise the signalk-server environment, potentially impacting vessel operations and data integrity.

For European organizations, particularly those in the maritime sector using SignalK signalk-server on vessels or shore-based infrastructure, this vulnerability poses a serious risk. Successful exploitation can lead to arbitrary code execution, allowing attackers to compromise the confidentiality of sensitive maritime data, alter or corrupt operational data (integrity), and disrupt services (availability). This could affect navigation, vessel monitoring, and safety systems reliant on signalk-server. Given the critical nature of maritime operations and the increasing reliance on digital systems, such a compromise could have operational, safety, and regulatory consequences. Additionally, attackers could use the compromised server as a foothold to pivot into broader organizational networks. The requirement for admin privileges limits the attack surface but insider threats or compromised admin credentials could enable exploitation. The absence of user interaction means the attack can be automated once admin access is obtained. European maritime companies, research institutions, and port authorities using vulnerable versions are at risk of operational disruption and data breaches.

1. Immediate upgrade of all signalk-server instances to version 2.19.0 or later, where the vulnerability is patched. 2. Restrict administrative access to the REST API strictly to trusted personnel and secure admin credentials with strong authentication mechanisms, ideally multi-factor authentication. 3. Implement network segmentation to isolate signalk-server hosts from broader enterprise networks to limit lateral movement in case of compromise. 4. Monitor npm package installation logs and REST API usage for unusual or unauthorized package installation attempts, especially those involving non-standard version specifiers or URLs. 5. Employ runtime application self-protection (RASP) or host-based intrusion detection systems (HIDS) to detect and block suspicious postinstall script executions. 6. Conduct regular audits of installed npm packages and verify their sources and integrity. 7. Educate administrators about the risks of installing packages from untrusted sources and enforce policies to prevent such actions. 8. Consider disabling or restricting npm postinstall script execution if feasible within operational constraints.