SignalK signalk-server, a server application used on central hubs in boats for marine data communication, suffers from a critical authentication bypass vulnerability identified as CVE-2025-68620. The flaw arises from two chained issues present in versions prior to 2.19.0. First, the server allows unauthenticated WebSocket clients connecting to the stream endpoint with the 'serverevents=all' parameter to receive all cached server events, including sensitive ACCESS_REQUEST events. These events contain detailed information such as request IDs, client identifiers, requested permissions, and IP addresses. This occurs because the 'startServerEvents' function indiscriminately sends cached events to any connected client without verifying authorization, and readonly access is allowed for unauthenticated users when 'allow_readonly' is true. Second, the access request status REST endpoint at '/signalk/v1/access/requests/:id' returns the full state of an access request, including the issued JWT token in plaintext once an administrator approves the request. This endpoint uses readonly authentication, permitting unauthenticated access. Exploitation can occur via two paths: an attacker can create a spoofed access request (leveraging IP spoofing to appear legitimate) and poll the request status until approval, or passively monitor the WebSocket stream to discover legitimate request IDs and poll those to steal JWT tokens. Both methods require no authentication or user interaction, enabling complete authentication bypass and credential theft. The vulnerability impacts confidentiality and integrity severely but does not affect availability. The issue is resolved in version 2.19.0 of signalk-server.

For European organizations, particularly those involved in maritime operations, yacht management, and marine IoT deployments, this vulnerability poses a severe risk. Compromise of JWT tokens allows attackers to impersonate legitimate devices or users, potentially leading to unauthorized access to sensitive marine data, manipulation of vessel control systems, or disruption of navigation and communication services. This could result in operational disruptions, safety hazards, and significant financial losses. Additionally, stolen credentials could be leveraged for lateral movement within maritime networks or to launch further attacks on connected infrastructure. The exposure of sensitive access request details also raises privacy concerns. Given the criticality and ease of exploitation without authentication, organizations relying on signalk-server must prioritize patching to prevent potential breaches.

1. Immediate upgrade of all signalk-server instances to version 2.19.0 or later, which contains the fix for this vulnerability. 2. If immediate upgrade is not feasible, disable the 'allow_readonly' setting to prevent unauthenticated readonly WebSocket connections. 3. Restrict network access to the signalk-server endpoints, especially the WebSocket stream and access request REST API, using firewall rules or network segmentation to limit exposure to trusted clients only. 4. Implement monitoring and alerting for unusual access request patterns or repeated polling of access request statuses. 5. Employ network-level authentication or VPNs for remote access to marine hubs to reduce exposure to unauthenticated attackers. 6. Review and tighten administrative approval workflows to detect and prevent approval of suspicious access requests. 7. Conduct regular audits of issued JWT tokens and revoke any tokens suspected to be compromised. 8. Educate administrators on the risks of approving access requests without verification.