SignalK signalk-server is a server application designed to run on a central hub in boats, facilitating data exchange and control. Versions prior to 2.19.0 include a REST API endpoint that allows administrators to install npm packages by specifying a package name and version. While the package name is validated against the npm registry to ensure it is a known plugin or webapp, the version parameter is not sanitized and accepts arbitrary npm version specifiers. npm’s version syntax is highly flexible, allowing installation from git repositories, GitHub shorthand, or HTTP/HTTPS URLs pointing to tarballs. When npm installs a package, it executes any postinstall scripts defined in the package.json file. An attacker with administrative access to the signalk-server can exploit this by specifying a malicious package version pointing to an attacker-controlled source containing a harmful postinstall script. This results in arbitrary code execution on the server, compromising the system. The vulnerability is classified under CWE-94 (Improper Control of Generation of Code) and has a CVSS 4.0 score of 7.3 (high severity), reflecting network attack vector, low complexity, no user interaction, but requiring privileges. The vulnerability was publicly disclosed on January 1, 2026, and fixed in version 2.19.0 of signalk-server.

For European organizations operating maritime vessels or infrastructure that use SignalK signalk-server, this vulnerability poses a significant risk. Exploitation can lead to full compromise of the central hub server, allowing attackers to execute arbitrary code, potentially leading to data theft, manipulation of navigation or sensor data, disruption of vessel operations, or pivoting to other internal systems. The compromise of maritime control systems could have safety, operational, and regulatory consequences, especially for commercial shipping, research vessels, or critical infrastructure monitoring. Given the network-exposed nature of the API and the lack of user interaction required, the attack surface is broad for insiders or attackers who gain administrative credentials. The vulnerability undermines confidentiality, integrity, and availability of the affected systems, potentially causing operational downtime and financial losses.

European organizations should immediately upgrade all signalk-server instances to version 2.19.0 or later, where the vulnerability is patched. Until upgrade is possible, restrict administrative access to the REST API to trusted personnel and networks, employing network segmentation and strong authentication controls. Monitor logs for unusual npm package installation requests or unexpected postinstall script executions. Implement application-layer firewalls or API gateways to validate and sanitize inputs to the package installation endpoint. Conduct regular audits of installed npm packages and verify their sources. Additionally, enforce the principle of least privilege for administrative accounts and consider using containerization or sandboxing to limit the impact of potential code execution. Finally, maintain up-to-date incident response plans tailored to maritime operational technology environments.