SCA: security update for signalk-server (GHSA-fpf5-w967-rr2m)

medium Tenable Cloud Security Plugin ID 436544

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Signal K Server is a server application that runs on a central hub in a boat. An unauthenticated
information disclosure vulnerability in versions prior to 2.19.0 allows any user to retrieve sensitive
system information, including the full SignalK data schema, connected serial devices, and installed
analyzer tools. This exposure facilitates reconnaissance for further attacks. Version 2.19.0 patches the
issue. (CVE-2025-68273)

Solution

Update the signalk-server library and its related packages to version 2.19.0 or later.

See Also

https://github.com/advisories/GHSA-fpf5-w967-rr2m

Plugin Details

Severity: Medium

ID: 436544

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 1/2/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 1.2

Percentile: 0.01

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2025-68273

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 4.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 1/2/2026

Vulnerability Publication Date: 1/1/2026

Reference Information

CVE: CVE-2025-68273

cwe: CWE-200