CVE-2026-39320: CWE-400: Uncontrolled Resource Consumption in SignalK signalk-server
Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.25.0 are vulnerable to an unauthenticated Regular Expression Denial of Service (ReDoS) attack within the WebSocket subscription handling logic. By injecting unescaped regex metacharacters into the `context` parameter of a stream subscription, an attacker can force the server's Node.js event loop into a catastrophic backtracking loop when evaluating long string identifiers (like the server's self UUID). This results in a total Denial of Service (DoS) where the server CPU spikes to 100% and becomes completely unresponsive to further API or socket requests. Version 2.25.0 contains a fix.
AI Analysis
Technical Summary
CVE-2026-39320 describes a high-severity vulnerability in SignalK Server before version 2.25.0. The flaw is an uncontrolled resource consumption issue (CWE-400) caused by a Regular Expression Denial of Service (ReDoS) attack vector in the WebSocket subscription handling logic. Specifically, injecting unescaped regex metacharacters into the context parameter of a stream subscription causes catastrophic backtracking when processing long string identifiers such as the server's self UUID. This leads to a complete denial of service by maxing out CPU resources and blocking further API or socket requests. The vulnerability requires no authentication and has a CVSS 3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). The issue is resolved in SignalK Server version 2.25.0.
Potential Impact
An unauthenticated attacker can cause a total denial of service on the SignalK Server by exploiting the ReDoS vulnerability. This results in 100% CPU utilization and complete unresponsiveness of the server to API and WebSocket requests, disrupting normal operations on the affected boat central hub. There is no impact on confidentiality or integrity, only availability is affected.
Mitigation Recommendations
Upgrade SignalK Server to version 2.25.0 or later, where this vulnerability is fixed. Patch status is confirmed by the version information in the advisory. No other mitigations are indicated or required.
CVE-2026-39320: CWE-400: Uncontrolled Resource Consumption in SignalK signalk-server
Description
Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.25.0 are vulnerable to an unauthenticated Regular Expression Denial of Service (ReDoS) attack within the WebSocket subscription handling logic. By injecting unescaped regex metacharacters into the `context` parameter of a stream subscription, an attacker can force the server's Node.js event loop into a catastrophic backtracking loop when evaluating long string identifiers (like the server's self UUID). This results in a total Denial of Service (DoS) where the server CPU spikes to 100% and becomes completely unresponsive to further API or socket requests. Version 2.25.0 contains a fix.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-39320 describes a high-severity vulnerability in SignalK Server before version 2.25.0. The flaw is an uncontrolled resource consumption issue (CWE-400) caused by a Regular Expression Denial of Service (ReDoS) attack vector in the WebSocket subscription handling logic. Specifically, injecting unescaped regex metacharacters into the context parameter of a stream subscription causes catastrophic backtracking when processing long string identifiers such as the server's self UUID. This leads to a complete denial of service by maxing out CPU resources and blocking further API or socket requests. The vulnerability requires no authentication and has a CVSS 3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). The issue is resolved in SignalK Server version 2.25.0.
Potential Impact
An unauthenticated attacker can cause a total denial of service on the SignalK Server by exploiting the ReDoS vulnerability. This results in 100% CPU utilization and complete unresponsiveness of the server to API and WebSocket requests, disrupting normal operations on the affected boat central hub. There is no impact on confidentiality or integrity, only availability is affected.
Mitigation Recommendations
Upgrade SignalK Server to version 2.25.0 or later, where this vulnerability is fixed. Patch status is confirmed by the version information in the advisory. No other mitigations are indicated or required.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-06T19:31:07.266Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e70c3119fe3cd2cda19908
Added to database: 4/21/2026, 5:33:37 AM
Last enriched: 4/21/2026, 5:33:43 AM
Last updated: 4/22/2026, 6:10:40 AM
Views: 12
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.