CVE-2025-68272: Signal K Server Vulnerable to Denial of Service via Unrestricted Access Request Flooding

January 2, 2026 (updated April 27, 2026)

A Denial of Service (DoS) vulnerability allows an unauthenticated attacker to crash the SignalK Server by flooding the access request endpoint (/signalk/v1/access/requests). This causes a “JavaScript heap out of memory” error due to unbounded in-memory storage of request objects.

References

github.com/SignalK/signalk-server/commit/55e3574d8266fbc0ed8e453ad4557073541566f5
github.com/SignalK/signalk-server/releases/tag/v2.19.0
github.com/SignalK/signalk-server/security/advisories/GHSA-7rqc-ff8m-7j23
github.com/advisories/GHSA-7rqc-ff8m-7j23
nvd.nist.gov/vuln/detail/CVE-2025-68272

Code Behaviors & Features

Detect and mitigate CVE-2025-68272 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →