Server-side Request Forgery (SSRF) Affecting signalk-server package, versions <2.28.0


Severity

Recommended
0.0
medium
0
10

CVSS assessment by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Server-side Request Forgery (SSRF) vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JS-SIGNALKSERVER-17817902
  • published5 Jul 2026
  • disclosed18 Jun 2026
  • creditanushkavirgaonkar

Introduced: 18 Jun 2026

NewCVE-2026-55591  (opens in a new tab)
CWE-918  (opens in a new tab)

How to fix?

Upgrade signalk-server to version 2.28.0 or higher.

Overview

signalk-server is an An implementation of a Signal K server for boats.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the makeRemoteRequest function. An attacker can access internal network resources, cloud metadata services, and arbitrary external hosts by supplying crafted parameters to administrative endpoints without authentication. This allows exfiltration of sensitive data, internal network scanning, and interaction with internal APIs. The attacker can also bypass TLS certificate verification by setting the selfsignedcert parameter, and exploit path traversal in the checkAccessRequest endpoint to target arbitrary paths on the destination host. This is only exploitable if the server is running with default security settings and no admin user is configured.

CVSS Base Scores

version 4.0
version 3.1