Latest News

[Note] This is a separate issue from the RCE vulnerability (State Pollution) currently being patched. While related to tokensecurity.js, it involves different endpoints and risks. ### Summary An unauthenticated information disclosure vulnerability allows any user to retrieve sensitive system information, including the full SignalK data schema, connected serial devices, and installed analyzer tools. This exposure facilitates reconnaissance for further attacks. ### Details The vulnerability stems from the fact that several sensitive API endpoints are not included in the authentication middleware's protection list in `src/tokensecurity.js`. **Vulnerable Code Analysis:** 1. **Missing Protection**: The `tokensecurity.js` file defines an array of paths that require authentication. However, the following paths defined in `src/serverroutes.ts` are missing from this list: - `/skServer/serialports` - `/skServer/availablePaths` - `/skServer/hasAnalyzer` 2. **Unrestricted Access*...

### Summary A Denial of Service (DoS) vulnerability allows an unauthenticated attacker to crash the SignalK Server by flooding the access request endpoint (`/signalk/v1/access/requests`). This causes a "JavaScript heap out of memory" error due to unbounded in-memory storage of request objects. ### Details The vulnerability is caused by a lack of rate limiting and improper memory management for incoming access requests. **Vulnerable Code Analysis:** 1. **In-Memory Storage**: In `src/requestResponse.js`, requests are stored in a simple JavaScript object: ```javascript const requests = {} ``` 2. **Unbounded Growth**: The `createRequest` function adds new requests to this object without checking the current size or count of existing requests. 3. **Infrequent Pruning**: The `pruneRequests` function, which removes old requests, runs only once every **15 minutes** (`pruneIntervalRate`). 4. **No Rate Limiting**: The endpoint `/signalk/v1/access/requests` accepts POST requests...

### Summary An unauthenticated attacker can pollute the internal state (`restoreFilePath`) of the server via the `/skServer/validateBackup` endpoint. This allows the attacker to hijack the administrator's "Restore" functionality to overwrite critical server configuration files (e.g., `security.json`, `package.json`), leading to account takeover and Remote Code Execution (RCE). ### Details The vulnerability is caused by the use of a module-level global variable `restoreFilePath` in `src/serverroutes.ts`, which is shared across all requests. **Vulnerable Code Analysis:** 1. **Global State**: `restoreFilePath` is defined at the top level of the module. ```typescript // src/serverroutes.ts let restoreFilePath: string ``` 2. **Unauthenticated State Pollution**: The `/skServer/validateBackup` endpoint updates this variable. Crucially, this endpoint **lacks authentication middleware**, allowing any user to access it. ```typescript app.post(`${SERVERROUTESPREFIX}/va...

Cybersecurity experts discuss 2026 predictions, highlighting the rise of AI-driven threats, the shift to resilience over prevention, and the urgent need for advanced security measures to combat evolving risks

From securing MCPs and supply chain defenses to formal AI and quantum governance, experts share their wish lists for cyber safety in 2026.

The threat actor known as Transparent Tribe has been attributed to a fresh set of attacks targeting Indian governmental, academic, and strategic entities with a remote access trojan (RAT) that grants them persistent control over compromised hosts. "The campaign employs deceptive delivery techniques, including a weaponized Windows shortcut (LNK) file masquerading as a legitimate PDF document

Attack Surface Management (ASM) tools promise reduced risk. What they usually deliver is more information.  Security teams deploy ASM, asset inventories grow, alerts start flowing, and dashboards fill up. There is visible activity and measurable output. But when leadership asks a simple question, “Is this reducing incidents?” the answer is often unclear.  This gap between effort and

The tactics behind protest policing are changing—from one of cooperation to intentional antagonism for political marketing purposes.

Several AI-related stories in 2025 highlighted how quickly AI systems can move beyond meaningful human control.

Cybersecurity researchers have disclosed details of a phishing campaign that involves the attackers impersonating legitimate Google-generated messages by abusing Google Cloud's Application Integration service to distribute emails. The activity, Check Point said, takes advantage of the trust associated with Google Cloud infrastructure to send the messages from a legitimate email address ("