Signal K Server Regular Expression Denial-of-Service Vulnerability via WebSocket Subscriptions

A denial-of-service vulnerability has been identified in Signal K Server versions prior to 2.25.0. The issue arises from the WebSocket subscription handling, where unescaped regular expression metacharacters can be injected into the 'context' parameter. This exploitation forces the server's Node.js event loop into a catastrophic backtracking loop, particularly when processing long string identifiers such as the server's UUID. As a result, the server's CPU usage spikes to 100%, causing it to become unresponsive to further API or socket requests.

Impact

Exploitation of this vulnerability leads to a complete denial-of-service condition, where the server becomes unresponsive due to the Node.js event loop being blocked.

Reproduction

The vulnerability can be reproduced by establishing a WebSocket connection to the Signal K Server and sending a subscription request that includes a crafted 'context' parameter. This parameter should contain unescaped regex metacharacters, such as nested quantifiers, which will cause the server to enter a backtracking loop when processing the request. The impact can be observed by monitoring the server's CPU usage and responsiveness to other requests.

Remediation

Users can upgrade to Signal K Server version 2.25.0 or later, where this vulnerability has been fixed.