signalk-server 2.24.0-beta.3

Direct Vulnerabilities

Known vulnerabilities in the signalk-server package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Origin Validation Error signalk-server is an An implementation of a Signal K server for boats. Affected versions of this package are vulnerable to Origin Validation Error via the construction of the `redirectUri` and `fullPostLogoutUri` using an unvalidated `Host` header in the OIDC authentication and logout processes. An attacker can intercept OAuth authorization codes and hijack user sessions by injecting a malicious Host header, causing the OIDC provider to redirect sensitive tokens to an attacker-controlled domain. Note: This is only exploitable if the `redirectUri` is not explicitly set in the configuration and the reverse proxy is configured to forward the client-supplied Host header, as recommended in the official documentation. How to fix Origin Validation Error? Upgrade `signalk-server` to version 2.24.0 or higher.	>=2.20.0 <2.24.0
C Authentication Bypass Using an Alternate Path or Channel signalk-server is an An implementation of a Signal K server for boats. Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via the `/skServer/enableSecurity` endpoint. An attacker can gain unauthorized administrative privileges by sending crafted requests that inject a new admin account, due to the endpoint remaining accessible and blindly trusting the `type` field in the request body. How to fix Authentication Bypass Using an Alternate Path or Channel? Upgrade `signalk-server` to version 2.24.0-beta.4 or higher.	<2.24.0-beta.4
M Out-of-bounds Read signalk-server is an An implementation of a Signal K server for boats. Affected versions of this package are vulnerable to Out-of-bounds Read in the `from` field of JSON-patch operations. An attacker can access internal Node.js functions and prototype state by crafting a payload that targets prototype properties, thereby exfiltrating sensitive internal data into their own application data. How to fix Out-of-bounds Read? Upgrade `signalk-server` to version 2.24.0 or higher.	<2.24.0

Vulnerability

Vulnerable Version

Origin Validation Error

signalk-server is an An implementation of a Signal K server for boats.

Affected versions of this package are vulnerable to Origin Validation Error via the construction of the redirectUri and fullPostLogoutUri using an unvalidated Host header in the OIDC authentication and logout processes. An attacker can intercept OAuth authorization codes and hijack user sessions by injecting a malicious Host header, causing the OIDC provider to redirect sensitive tokens to an attacker-controlled domain.

Note:

This is only exploitable if the redirectUri is not explicitly set in the configuration and the reverse proxy is configured to forward the client-supplied Host header, as recommended in the official documentation.

How to fix Origin Validation Error?

Upgrade signalk-server to version 2.24.0 or higher.

>=2.20.0 <2.24.0

Authentication Bypass Using an Alternate Path or Channel

signalk-server is an An implementation of a Signal K server for boats.

Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via the /skServer/enableSecurity endpoint. An attacker can gain unauthorized administrative privileges by sending crafted requests that inject a new admin account, due to the endpoint remaining accessible and blindly trusting the type field in the request body.

How to fix Authentication Bypass Using an Alternate Path or Channel?

Upgrade signalk-server to version 2.24.0-beta.4 or higher.

<2.24.0-beta.4

Out-of-bounds Read

signalk-server is an An implementation of a Signal K server for boats.

Affected versions of this package are vulnerable to Out-of-bounds Read in the from field of JSON-patch operations. An attacker can access internal Node.js functions and prototype state by crafting a payload that targets prototype properties, thereby exfiltrating sensitive internal data into their own application data.

How to fix Out-of-bounds Read?

Upgrade signalk-server to version 2.24.0 or higher.

<2.24.0

signalk-server@2.24.0-beta.3

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically