CVE-2025-68273: Signal K Server Vulnerable to Unauthenticated Information Disclosure via Exposed Endpoints

January 2, 2026 (updated April 27, 2026)

An unauthenticated information disclosure vulnerability allows any user to retrieve sensitive system information, including the full SignalK data schema, connected serial devices, and installed analyzer tools. This exposure facilitates reconnaissance for further attacks.

References

github.com/SignalK/signalk-server/commit/ead2a03d8994969cafcca0320abee16f0e66e7a9
github.com/SignalK/signalk-server/releases/tag/v2.19.0
github.com/SignalK/signalk-server/security/advisories/GHSA-fpf5-w967-rr2m
github.com/advisories/GHSA-fpf5-w967-rr2m
nvd.nist.gov/vuln/detail/CVE-2025-68273

Code Behaviors & Features

Detect and mitigate CVE-2025-68273 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →