{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39320", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-06T19:31:07.266Z", "datePublished": "2026-04-21T00:07:10.371Z", "dateUpdated": "2026-04-21T19:36:54.787Z"}, "containers": {"cna": {"title": "Signal K Server has an Unauthenticated Regular Expression Denial of Service (ReDoS) via WebSocket Subscription Paths", "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-1333", "lang": "en", "description": "CWE-1333: Inefficient Regular Expression Complexity", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/SignalK/signalk-server/security/advisories/GHSA-7gcj-phff-2884", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/SignalK/signalk-server/security/advisories/GHSA-7gcj-phff-2884"}, {"name": "https://github.com/SignalK/signalk-server/pull/2568", "tags": ["x_refsource_MISC"], "url": "https://github.com/SignalK/signalk-server/pull/2568"}, {"name": "https://github.com/SignalK/signalk-server/commit/215d81eb700d5419c3396a0fbf23f2e246dfac2d", "tags": ["x_refsource_MISC"], "url": "https://github.com/SignalK/signalk-server/commit/215d81eb700d5419c3396a0fbf23f2e246dfac2d"}, {"name": "https://github.com/SignalK/signalk-server/releases/tag/v2.25.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/SignalK/signalk-server/releases/tag/v2.25.0"}], "affected": [{"vendor": "SignalK", "product": "signalk-server", "versions": [{"version": "< 2.25.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T00:07:10.371Z"}, "descriptions": [{"lang": "en", "value": "Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.25.0 are vulnerable to an unauthenticated Regular Expression Denial of Service (ReDoS) attack within the WebSocket subscription handling logic. By injecting unescaped regex metacharacters into the `context` parameter of a stream subscription, an attacker can force the server's Node.js event loop into a catastrophic backtracking loop when evaluating long string identifiers (like the server's self UUID). This results in a total Denial of Service (DoS) where the server CPU spikes to 100% and becomes completely unresponsive to further API or socket requests. Version 2.25.0 contains a fix."}], "source": {"advisory": "GHSA-7gcj-phff-2884", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/SignalK/signalk-server/security/advisories/GHSA-7gcj-phff-2884", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T19:36:30.279521Z", "id": "CVE-2026-39320", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T19:36:54.787Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39320", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-21T19:36:30.279521Z"}}}], "references": [{"url": "https://github.com/SignalK/signalk-server/security/advisories/GHSA-7gcj-phff-2884", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T19:36:52.069Z"}}], "cna": {"title": "Signal K Server has an Unauthenticated Regular Expression Denial of Service (ReDoS) via WebSocket Subscription Paths", "source": {"advisory": "GHSA-7gcj-phff-2884", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "SignalK", "product": "signalk-server", "versions": [{"status": "affected", "version": "< 2.25.0"}]}], "references": [{"url": "https://github.com/SignalK/signalk-server/security/advisories/GHSA-7gcj-phff-2884", "name": "https://github.com/SignalK/signalk-server/security/advisories/GHSA-7gcj-phff-2884", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/SignalK/signalk-server/pull/2568", "name": "https://github.com/SignalK/signalk-server/pull/2568", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/SignalK/signalk-server/commit/215d81eb700d5419c3396a0fbf23f2e246dfac2d", "name": "https://github.com/SignalK/signalk-server/commit/215d81eb700d5419c3396a0fbf23f2e246dfac2d", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/SignalK/signalk-server/releases/tag/v2.25.0", "name": "https://github.com/SignalK/signalk-server/releases/tag/v2.25.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.25.0 are vulnerable to an unauthenticated Regular Expression Denial of Service (ReDoS) attack within the WebSocket subscription handling logic. By injecting unescaped regex metacharacters into the `context` parameter of a stream subscription, an attacker can force the server's Node.js event loop into a catastrophic backtracking loop when evaluating long string identifiers (like the server's self UUID). This results in a total Denial of Service (DoS) where the server CPU spikes to 100% and becomes completely unresponsive to further API or socket requests. Version 2.25.0 contains a fix."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1333", "description": "CWE-1333: Inefficient Regular Expression Complexity"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T00:07:10.371Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39320", "state": "PUBLISHED", "dateUpdated": "2026-04-21T19:36:54.787Z", "dateReserved": "2026-04-06T19:31:07.266Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-21T00:07:10.371Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:signalk:signal_k_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "2DAD2E1E-F9F3-40FA-B483-3AB2A3093CFB", "versionEndExcluding": "2.25.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.25.0 are vulnerable to an unauthenticated Regular Expression Denial of Service (ReDoS) attack within the WebSocket subscription handling logic. By injecting unescaped regex metacharacters into the `context` parameter of a stream subscription, an attacker can force the server's Node.js event loop into a catastrophic backtracking loop when evaluating long string identifiers (like the server's self UUID). This results in a total Denial of Service (DoS) where the server CPU spikes to 100% and becomes completely unresponsive to further API or socket requests. Version 2.25.0 contains a fix."}], "id": "CVE-2026-39320", "lastModified": "2026-04-24T20:51:54.230", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-21T01:16:05.063", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/SignalK/signalk-server/commit/215d81eb700d5419c3396a0fbf23f2e246dfac2d"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/SignalK/signalk-server/pull/2568"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/SignalK/signalk-server/releases/tag/v2.25.0"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/SignalK/signalk-server/security/advisories/GHSA-7gcj-phff-2884"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/SignalK/signalk-server/security/advisories/GHSA-7gcj-phff-2884"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}, {"lang": "en", "value": "CWE-1333"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.25.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "signalk-server", "source": "cna", "vendor": "SignalK"}, "product": "signalk-server", "vendor": "signalk"}], "analysis": {"en": {"generated_at": "2026-04-22T03:25:28.971729+00:00", "value": {"mitigation_remediation": ["Apply the latest Release 2.25.0 or later, which patches the Regular Expression Denial of Service (CWE\u20111333) by sanitizing the context parameter in WebSocket subscriptions.", "For systems that cannot upgrade immediately, enforce strict input validation to escape or reject regex metacharacters, thereby mitigating CWE\u20111333 and preventing excessive resource consumption described by CWE\u2011400.", "Restrict WebSocket subscription access to authenticated or trusted clients and enforce request rate\u2011limiting or CPU\u2011usage monitoring to prevent the server from reaching 100\u202f% CPU and a full denial of service."], "summary": {"action": "Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Signal K Server application provided by SignalK (signalk-server). All releases earlier than version 2.25.0 are impacted; version 2.25.0 and later contain the fix.", "description_and_impact": "Signal K Server contains a regular expression denial\u2011of\u2011service flaw that allows an unauthenticated attacker to inject unescaped regex metacharacters into the context parameter of a WebSocket subscription. The injected characters cause the Node.js event loop to perform catastrophic backtracking against long identifiers such as the server\u2019s own UUID, resulting in CPU saturation and a total denial of service to all further API and socket requests.", "risk_and_exploitability": "With a CVSS score of 7.5 the vulnerability is considered high severity, but the EPSS score is reported as less than 1% and the issue is not listed in the CISA KEV catalog, indicating no publicly known exploitation yet. The likely attack vector is remote, as any entity that can connect to the server\u2019s WebSocket endpoint can craft a malicious subscription path without authentication. Once triggered, the server\u2019s CPU can reach 100\u202f% and the process becomes completely unresponsive to additional traffic."}}}}, "created": "2026-04-21T02:30:25.670195+00:00", "updated": "2026-04-22T03:30:06.688944+00:00", "vendors": ["signalk", "signalk$PRODUCT$signalk-server"]}