Security · Advisories
What I've found.
Coordinated marine-security advisories published by 32°N — every CVE-style finding from the audits, with severity, target software, and a detail page per advisory. The same corpus powers the Marine Security Scanner's signature pack and the in-app systems-security audit. Disclosed responsibly under embargo-then-publish; the embargoed set isn't visible here. 120 published across 1 ecosystem.
Showing 1–25 of 120
- CriticalVulnerabilityMSS-SK-2026-0001signalkPoC available
WebSocket auth bypass via unhandled Error type
When allow_readonly=false and no token is provided, authorizeWS() throws plain Error('Missing access token') (tokensecurity.ts:1441). The createPrimusAuthorize catch (ws.ts:907-916) only rejects InvalidTokenError/JsonWebTokenError/TokenExpiredError; plain Error falls through the else branch which calls authorized() with no argument — Primus treats that as success, silently admitting the unauthenticated WebSocket connection.
SignalK ServerPublished 25 Apr 2026 - CriticalVulnerabilityMSS-SK-2026-0019signalkPoC available
RCE via Node-RED flow deployment
RCE via Node-RED flow deployment. CVE: CVE-2026-33950
@signalk/signalk-node-red @ 4.3.0Published 25 Apr 2026 - CriticalVulnerabilityMSS-SK-2026-0020signalkPoC available
Unauthenticated RCE via track filename injection
Unauthenticated RCE via track filename injection.
galadrielmap_skPublished 25 Apr 2026 - CriticalVulnerabilityMSS-SK-2026-0021signalkPoC available
Unauthenticated FBP runtime on port 3569
Unauthenticated FBP runtime on port 3569.
noflo-signalkPublished 25 Apr 2026 - CriticalVulnerabilityMSS-SK-2026-0024signalkPoC available
eval() on plugin options enables RCE
eval() on plugin options enables RCE.
signalk-ecowittPublished 25 Apr 2026 - CriticalVulnerabilityMSS-SK-2026-0025signalkPoC available
N2K Volume/Source field shell injection
N2K Volume/Source field shell injection.
signalk-fusion-devicePublished 25 Apr 2026 - CriticalVulnerabilityMSS-SK-2026-0026signalkPoC available
Unauthenticated MQTT → SignalK delta injection
Unauthenticated MQTT → SignalK delta injection.
signalk-mqtt-bridgePublished 25 Apr 2026 - CriticalVulnerabilityMSS-SK-2026-0027signalkPoC available
Unauthenticated TCP → N2K PGN injection
Unauthenticated TCP → N2K PGN injection.
signalk-n2k-serverPublished 25 Apr 2026 - CriticalVulnerabilityMSS-SK-2026-0028signalkPoC available
Shell injection via notification text (festival TTS)
Shell injection via notification text (festival TTS).
signalk-notification-playerPublished 25 Apr 2026 - CriticalVulnerabilityMSS-SK-2026-0029signalkPoC available
Hardcoded AWS IAM credentials in icon.js
Hardcoded AWS IAM credentials in icon.js.
signalk-push-notificationsPublished 25 Apr 2026 - CriticalVulnerabilityMSS-SK-2026-0030signalkPoC available
Unauthenticated RCE via REPL Unix socket
Unauthenticated RCE via REPL Unix socket.
signalk-replPublished 25 Apr 2026 - CriticalVulnerabilityMSS-SK-2026-0031signalkPoC available
RCE via shell.exec() in scheduled job command
RCE via shell.exec() in scheduled job command.
signalk-schedulerPublished 25 Apr 2026 - CriticalVulnerabilityMSS-SK-2026-0032signalkPoC available
Plaintext AWS credentials stored in plugin config
Plaintext AWS credentials stored in plugin config.
sk-logs-to-aws-s3Published 25 Apr 2026 - CriticalVulnerabilityMSS-SK-2026-0428signalkPoC available
posmv_input_plugin unauth UDP GPS spoofing into navigation.position (SOLAS-relevant)
Default ip='0.0.0.0' on UDP/5602 with no source allow-list, no HMAC, no replay protection. Forged Applanix POS-MV $GRP GID=1 frames write attacker coordinates to navigation.position/attitude/courseOverGroundTrue/rateOfTurn/speedOverGround. POS-MV is the authoritative position source on commercial vessels; ECDIS/autopilot/AIS-out all act on the forgery.
posmv_input_pluginPublished 25 Apr 2026 - HighVulnerabilityMSS-SK-2026-0002signalkPoC available
Plugin auth bypass via appCopy routing methods
src/interfaces/plugins.ts:571 creates a shallow copy of Express via _.assign({}, app, {...}) and passes it to plugins. Express routing methods (app.get/post/...) register routes on the root Express instance, bypassing the /plugins/{id}/ admin auth middleware. ARCHITECTURAL ROOT CAUSE — 12+ confirmed plugin findings are downstream symptoms.
SignalK ServerPublished 25 Apr 2026 - HighVulnerabilityMSS-SK-2026-0003signalkPoC available
Dummy security strategy allows all operations (default)
src/dummysecurity.ts returns true for shouldAllowWrite/shouldAllowPut/checkACL, no-op authorizeWS, passthrough filterReadDelta. This is the DEFAULT on new installs. Any LAN device can read all data, write deltas, install plugins.
SignalK ServerPublished 25 Apr 2026 - HighVulnerabilityMSS-SK-2026-0005signalkPoC available
Plugin npm install runs under sudo on Linux
src/modules.ts:359 spawns sudo npm install <plugin>. npm postinstall scripts therefore execute as root. A malicious or compromised plugin escalates to root via the install lifecycle.
SignalK ServerPublished 25 Apr 2026 - HighVulnerabilityMSS-SK-2026-0015signalkPoC available
WASM plugins self-grant capabilities via package.json
src/wasm/loader/plugin-registry.ts:186-198 reads packageJson.wasmCapabilities and grants them with no admin consent. dataRead/dataWrite default true. PoC verified 11/11 dangerous capabilities self-granted.
SignalK ServerPublished 25 Apr 2026 - HighVulnerabilityMSS-SK-2026-0018signalkPoC available
RCE via datetime command injection (≤1.4.0 only)
RCE via datetime command injection. versions <= 1.4.0 CVE: CVE-2026-23515 VALIDATION: v1.5.0 anchored regex blocks shell metachars; finding only valid for ≤1.4.0.
@signalk/set-system-time @ 1.5.0Published 25 Apr 2026 - HighVulnerabilityMSS-SK-2026-0033signalkPoC available
Azure SAS key stored in plaintext settings.json
Azure SAS key stored in plaintext settings.json.
@sail-cloud/sail-cloud @ 1.2.4Published 25 Apr 2026 - HighVulnerabilityMSS-SK-2026-0035signalkPoC available
SQL injection in LIKE query (unauthenticated TCP)
SQL injection in LIKE query (unauthenticated TCP).
@yachteye/signalk-engineroom-plugin @ 1.2.0Published 25 Apr 2026 - HighVulnerabilityMSS-SK-2026-0036signalkPoC available
Silent AIS data exfiltration to aisfleet.com
Silent AIS data exfiltration to aisfleet.com.
aisfleetPublished 25 Apr 2026 - HighVulnerabilityMSS-SK-2026-0038signalkPoC available
Delta logFile field to shell injection
Delta logFile field to shell injection.
naivegpxloggerPublished 25 Apr 2026 - HighVulnerabilityMSS-SK-2026-0039signalkPoC available
Config injection via torPort
Config injection via torPort.
netaisPublished 25 Apr 2026 - HighVulnerabilityMSS-SK-2026-0041signalkPoC available
Config injection via nmea2000Interface
Config injection via nmea2000Interface.
signalk-ais-navionics-converterPublished 25 Apr 2026
How to report
Found one I missed?
Report a marine-security issue at security@32north.ai with
a GPG-encrypted message, or via GitHub Security Advisories on the
affected repo. The advisory shows up here within a few days of
confirmation (coordinated disclosure timeline applies). Details at
/security.