How severe is GHSA-p8gp-2w28-mhwg?

GHSA-p8gp-2w28-mhwg has a CVSS score of 9.9/10, rated CRITICAL. Immediate patching is strongly recommended.

Which packages are affected by GHSA-p8gp-2w28-mhwg?

GHSA-p8gp-2w28-mhwg affects the following packages: @signalk/set-system-time (npm). Ecosystems affected: npm.

How do I fix GHSA-p8gp-2w28-mhwg?

Update @signalk/set-system-time to 1.5.0 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-p8gp-2w28-mhwg is resolved across your whole dependency graph.

How do I detect GHSA-p8gp-2w28-mhwg in my npm dependencies?

Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for @signalk/set-system-time. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

How do I mitigate GHSA-p8gp-2w28-mhwg if there is no patch (or I can't update yet)?

If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

How does O3 Security protect against GHSA-p8gp-2w28-mhwg?

O3 pinpoints whether GHSA-p8gp-2w28-mhwg is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Is GHSA-p8gp-2w28-mhwg actively exploited in the wild?

No public exploit code has been indexed for GHSA-p8gp-2w28-mhwg yet. This does not mean the vulnerability cannot be exploited — absence of public exploits does not imply safety. Apply the recommended fix and use O3 Security to monitor your exposure.

What is the EPSS score for GHSA-p8gp-2w28-mhwg?

GHSA-p8gp-2w28-mhwg has an EPSS (Exploit Prediction Scoring System) score of 4.2%, placing it in the 90th percentile of all CVEs. EPSS is maintained by FIRST.org and estimates the probability that a vulnerability will be exploited in the wild within the next 30 days. This score indicates relatively lower exploitation probability, though the CVSS severity should still guide your patching priority.

What type of vulnerability is GHSA-p8gp-2w28-mhwg?

GHSA-p8gp-2w28-mhwg is classified as OS Command Injection (CWE-78). This weakness type describe the underlying flaw category, which helps determine the potential impact and the right class of mitigation. This is a high-impact weakness class that often enables remote code execution or data exposure.

When was GHSA-p8gp-2w28-mhwg published, and has it been updated?

GHSA-p8gp-2w28-mhwg was published on February 2, 2026 and was last updated on February 3, 2026. Advisory data evolves as severity scores, affected ranges, and exploit intelligence are revised — always check the latest version of the advisory before acting.

📦 npm

GHSA-p8gp-2w28-mhwg

CRITICAL

Signal K set-system-time plugin vulnerable to RCE - Command Injection

Also known asCVE-2026-23515

Published

Feb 2, 2026

Updated

Feb 3, 2026

Affected

1 pkg

Patched

1 / 1

Exploits

None indexed

EPSS Exploitation Probability

via FIRST.org ↗

4.2%probability of exploitation in next 30 days

Lower Risk90th percentile-5.38%

EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.

Blast Radius

1 pkg affected

Weekly download volume for affected packages — a proxy for how broadly this vulnerability is deployed.

@signalk/set-system-timenpm

2Kdownloads / week

Description

Summary

A Command Injection vulnerability allows authenticated users with write permissions to execute arbitrary shell commands on the Signal K server when the set-system-time plugin is enabled. Unauthenticated users can also exploit this vulnerability if security is disabled on the Signal K server. This occurs due to unsafe construction of shell commands when processing navigation.datetime values received via WebSocket delta messages.

Details

Product: Signal K set-system-time plugin
Repository: https://github.com/SignalK/set-system-time

File: index.js, lines 60-71

      stream.onValue(function (datetime) {
        var child
        if (process.platform == 'win32') {
          console.error("Set-system-time supports only linux-like os's")
        } else {
          if( ! plugin.useNetworkTime(options) ){
            const useSudo = typeof options.sudo === 'undefined' || options.sudo
            const setDate = `date --iso-8601 -u -s "${datetime}"`  // ← VULNERABLE
            const command = useSudo
              ? `if sudo -n date &> /dev/null ; then sudo ${setDate} ; else exit 3 ; fi`
              : setDate
            child = require('child_process').spawn('sh', ['-c', command])  // ← EXECUTES SHELL

The vulnerability has three components:

Unsanitized Input: The datetime value from navigation.datetime Signal K path is directly interpolated into a shell command without validation
Shell Execution: The command is executed via spawn('sh', ['-c', command]), which interprets shell metacharacters
Sudo Privileges: The plugin can execute with root privileges if sudo is misconfigured, instructions to limit passwordless sudo to the /bin/date binary helps mitigate this but RCE can still be achieved with the privileges of the user that installed it.

PoC

Exploitation Requirements

Signal K server with security enabled, if disabled credentials not required
Valid user credentials with readwrite or admin permissions
set-system-time plugin installed and enabled
Signal K server installed on a Linux OS
Passwordless sudo configured, official instructions will do this for the date command which is enough to satisfy the if condition

"""
Run provided POC:
    python3 poc.py --host signalkserver_IP -u username -p password

Payload: Creates /tmp/signalk-RCE.txt to prove code execution
"""

Impact

An attacker that has write privileges either through security on the Signal K server being disabled or valid credentials with read/write permissions can execute arbitrary commands on the server with the privileges of the SignalK process or root if sudo is misconfigured. This enables complete system compromise.

Recommendations

Replace shell-based execution with child_process.execFile() so user-controlled input is passed as arguments rather than interpreted by a shell.
Validate that navigation.datetime conforms to an expected ISO-8601 format to improve robustness.

Affected Packages

1 total 1 fixed

Ecosystem	Package	Vulnerable range	Fix
📦npm	`@signalk/set-system-time`	all versions	1.5.0

Detection & mitigation playbook

Open-source dependency

Detect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for @signalk/set-system-time. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update @signalk/set-system-time to 1.5.0 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-p8gp-2w28-mhwg is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-p8gp-2w28-mhwg is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-p8gp-2w28-mhwg. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

### Summary A Command Injection vulnerability allows authenticated users with write permissions to execute arbitrary shell commands on the Signal K server when the set-system-time plugin is enabled. Unauthenticated users can also exploit this vulnerability if security is disabled on the Signal K server. This occurs due to unsafe construction of shell commands when processing `navigation.datetime` values received via WebSocket delta messages. ### Details **Product:** Signal K set-system-time plugin **Repository:** https://github.com/SignalK/set-system-time File: `index.js`, lines 60-71 `

O3 Security · Impact-Aware SCA

Is GHSA-p8gp-2w28-mhwg in your dependencies?

O3 detects GHSA-p8gp-2w28-mhwg across npm dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works