SCA: security update for signalk-server (GHSA-vfrf-vcj7-wvr8)

high Tenable Self-Hosted Container Security Plugin ID 436541

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19.0 of
the access request system have two related features that when combined by themselves and with an
information disclosure vulnerability enable convincing social engineering attacks against administrators.
When a device creates an access request, it specifies three fields: `clientId`, `description`, and
`permissions`. The SignalK admin UI displays the `description` field prominently to the administrator when
showing pending requests, but the actual `permissions` field (which determines the access level granted)
is less visible or displayed separately. This allows an attacker to request `admin` permissions while
providing a description that suggests readonly access. The access request handler trusts the `X-Forwarded-
For` HTTP header without validation to determine the client's IP address. This header is intended to
preserve the original client IP when requests pass through reverse proxies, but when trusted
unconditionally, it allows attackers to spoof their IP address. The spoofed IP is displayed to
administrators in the access request approval interface, potentially making malicious requests appear to
originate from trusted internal network addresses. Since device/source names can be enumerated via the
information disclosure vulnerability, an attacker can impersonate a legitimate device or source, craft a
convincing description, spoof a trusted internal IP address, and request elevated permissions, creating a
highly convincing social engineering scenario that increases the likelihood of administrator approval.
Users should upgrade to version 2.19.0 to fix this issue. (CVE-2025-69203)

See Also

https://github.com/advisories/GHSA-vfrf-vcj7-wvr8

Plugin Details

Severity: High

ID: 436541

Version: Revision 1.5

Type: Local

Family: SCA Checks

Published: 1/2/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.88

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2025-69203

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 1/2/2026

Vulnerability Publication Date: 1/1/2026

Reference Information

CVE: CVE-2025-69203

cwe: CWE-290