EXECUTIVE SUMMARY:
CVE-2026-39320 with a CVSS score of 7.5 is a vulnerability in the Signal K Server, a server application that runs on a central hub in a boat, affecting versions prior to 2.25.0 of the npm package signalk-server. This vulnerability allows an attacker to perform an unauthenticated Regular Expression Denial of Service (ReDoS) attack within the WebSocket subscription handling logic by injecting unescaped regex metacharacters into the `context` parameter of a stream subscription. This results in a catastrophic backtracking loop when evaluating long string identifiers, forcing the server's Node.js event loop into a Denial of Service (DoS) state where the server CPU spikes to 100% and becomes completely unresponsive to further API or socket requests. An attacker can exploit this vulnerability without any privileges or user interaction, using a network attack vector, and gain the capability to render the server unavailable, resulting in significant business impact and consequences, including data loss and system downtime, under the condition that the attacker is able to submit a crafted `context` parameter to the affected server.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-39320 with a CVSS score of 7.5 is a vulnerability in the Signal K Server, a server application that runs on a central hub in a boat, affecting versions prior to 2.25.0 of the npm package signalk-server. This vulnerability allows an attacker to perform an unauthenticated Regular Expression Denial of Service (ReDoS) attack within the WebSocket subscription handling logic by injecting unescaped regex metacharacters into the `context` parameter of a stream subscription. This results in a catastrophic backtracking loop when evaluating long string identifiers, forcing the server's Node.js event loop into a Denial of Service (DoS) state where the server CPU spikes to 100% and becomes completely unresponsive to further API or socket requests. An attacker can exploit this vulnerability without any privileges or user interaction, using a network attack vector, and gain the capability to render the server unavailable, resulting in significant business impact and consequences, including data loss and system downtime, under the condition that the attacker is able to submit a crafted `context` parameter to the affected server.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update signalk-server to version 2.25.0.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-7gcj-phff-2884