Mesh Networking Solution Vulnerability in Meshtastic Software
CVE-2025-24798

4.3MEDIUM

Key Information:

Vendor

Meshtastic

Status
Firmware
Vendor
CVE Published:
10 July 2025

What is CVE-2025-24798?

A vulnerability in Meshtastic firmware versions 1.2.1 through 2.6.2 can be exploited through a crafted packet sent to the routing module, specifically when the 'want_response' flag is set to true. This flaw may cause the system to crash, leading to a disruption of service for other nodes within the communication range of the malicious sender. Moreover, if downlink is enabled via MQTT, it can further exacerbate the situation, compromising network reliability. Users are encouraged to update to version 2.6.2, which contains the necessary fixes to address this issue.

Affected Version(s)

firmware >= 1.2.1, < 2.6.2

References

https://github.com/meshtastic/firmware/security/advisorie...
x_refsource_CONFIRM
https://github.com/meshtastic/firmware/commit/dc100e4d3e3...
x_refsource_MISC
https://github.com/meshtastic/firmware/blob/cdcbf4c61550e...
x_refsource_MISC

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.