SignalK Server, a central hub server application used in maritime environments, prior to version 2.24.0 contains a vulnerability classified as CWE-346 (Origin Validation Error) and CWE-601 (Open Redirect). The flaw exists in the OpenID Connect (OIDC) login and logout handlers where the HTTP Host header is used without validation to construct the OAuth2 redirect_uri parameter. Because the redirectUri configuration is silently unset by default, the application relies on the Host header to build the redirect URI. An attacker can exploit this by spoofing the Host header in HTTP requests, causing the OIDC provider to send authorization codes to an attacker-controlled domain. This enables the attacker to steal OAuth authorization codes and hijack user sessions, compromising confidentiality and integrity. The vulnerability does not require authentication but does require user interaction (e.g., login). The CVSS v3.1 score is 6.1 (medium), reflecting network attack vector, low attack complexity, no privileges required, user interaction required, and partial confidentiality and integrity impact. The vulnerability has been patched in SignalK Server version 2.24.0, and no known exploits have been reported in the wild as of the publication date.

The primary impact of this vulnerability is the potential theft of OAuth authorization codes, which can lead to session hijacking and unauthorized access to user accounts on the SignalK Server. This compromises the confidentiality and integrity of user sessions and sensitive data managed by the server. Since SignalK Server is typically deployed as a central hub on boats, exploitation could lead to unauthorized control or monitoring of maritime systems, potentially affecting navigation, communication, or safety-related functions. The vulnerability could be exploited remotely over the network without authentication, increasing the risk. However, exploitation requires user interaction, which somewhat limits the attack surface. Organizations operating maritime vessels or fleets using SignalK Server versions prior to 2.24.0 are at risk of targeted attacks that could disrupt operations or lead to data breaches.

1. Upgrade all SignalK Server instances to version 2.24.0 or later, where the vulnerability is patched. 2. If immediate upgrade is not possible, implement strict validation of the HTTP Host header at the network perimeter or application firewall to reject requests with suspicious or unexpected Host values. 3. Configure the redirectUri explicitly in the SignalK Server configuration to avoid reliance on the Host header for OAuth2 redirect URI construction. 4. Monitor OAuth authorization flows and logs for unusual redirect URIs or authorization code requests that could indicate exploitation attempts. 5. Educate users about phishing and social engineering risks that could facilitate user interaction required for exploitation. 6. Employ network segmentation and access controls to limit exposure of the SignalK Server to untrusted networks. 7. Regularly audit and review authentication and session management mechanisms to detect anomalies.