Signal K Server WebSocket Login Rate Limiting Bypass Vulnerability

A vulnerability in Signal K Server prior to version 2.25.0 allows for credential brute-forcing via the WebSocket login endpoint. While the HTTP login routes are protected by rate limiting, the WebSocket endpoint lacks similar safeguards, enabling attackers to send unlimited password guesses at a rate of approximately 20 attempts per second, constrained only by bcrypt's hashing process. This issue has been addressed in version 2.25.0.

Impact

The vulnerability allows for credential brute-forcing through the WebSocket protocol, bypassing the rate limits enforced on HTTP login requests. This could lead to unauthorized access if passwords are successfully guessed.

Reproduction

To reproduce this vulnerability, start the Signal K server with security enabled. Open a WebSocket connection to the server's WebSocket endpoint and wait for the initial hello message. Then, send login attempts rapidly by including a request ID and login credentials in the WebSocket messages. All attempts will be processed without any throttling or rate limit responses. In contrast, sending multiple HTTP login requests will trigger the rate limit after 100 attempts.

Remediation

Users can update to Signal K Server version 2.25.0 or later, where this vulnerability has been patched.