CVE-2026-25228 is a path traversal vulnerability identified in the SignalK Server, a server application commonly deployed on central hubs within boats to manage marine data. The vulnerability affects versions prior to 2.20.3 and specifically impacts Windows-based deployments. The root cause lies in the validateAppId() function, which attempts to restrict pathname inputs by blocking forward slashes ('/'), but fails to block backslashes ('\'). On Windows systems, backslashes are recognized as directory separators, and the path.join() function treats them accordingly. This oversight allows an authenticated user to craft inputs containing backslashes to escape the intended applicationData directory, thereby gaining the ability to read, write, and list arbitrary files and directories on the host filesystem. The vulnerability requires the attacker to be authenticated but does not require additional user interaction, making exploitation feasible for legitimate users with access. The impact primarily compromises confidentiality by exposing sensitive files outside the application’s sandbox. Integrity and availability are not directly affected. The vulnerability has been assigned a CVSS v3.1 score of 5.0 (medium severity), reflecting its moderate impact and ease of exploitation given authentication. No public exploits have been reported to date. The issue is resolved in SignalK Server version 2.20.3, which properly sanitizes pathname inputs to prevent directory traversal via backslashes.

For European organizations, particularly those in maritime industries or sectors utilizing SignalK Server on Windows platforms, this vulnerability poses a risk of unauthorized disclosure of sensitive filesystem data. Attackers with authenticated access can access files beyond the intended applicationData directory, potentially exposing configuration files, credentials, or other sensitive information. While the vulnerability does not allow modification or deletion of files, the confidentiality breach could facilitate further attacks or data leakage. Given the specialized use of SignalK Server in marine environments, organizations operating fleets, ports, or marine research facilities in Europe could face operational risks if sensitive navigation or system data is exposed. The medium severity rating indicates a moderate threat level, but the requirement for authentication limits exposure to insiders or compromised accounts. Nonetheless, the potential for lateral movement or information gathering within maritime networks makes timely remediation important.

European organizations should immediately upgrade all SignalK Server instances to version 2.20.3 or later to ensure the vulnerability is patched. Until upgrades can be performed, restrict access to the applicationData API to only highly trusted users and monitor authenticated user activity for suspicious file access patterns. Implement strict network segmentation to isolate SignalK Server hosts from broader enterprise networks, reducing the risk of lateral movement. Employ host-based file integrity monitoring to detect unauthorized file reads or writes outside expected directories. Additionally, review and harden authentication mechanisms to prevent unauthorized access. Conduct regular audits of SignalK Server configurations and logs to identify potential exploitation attempts. Finally, educate users with access about the risks of this vulnerability and the importance of credential security.