Code Injection Vulnerability in Meshtastic Open Source Networking Solution
CVE-2025-53637

4.1MEDIUM

Key Information:

Vendor: Meshtastic
Status: Firmware
Vendor: CVE Published:; 10 July 2025

What is CVE-2025-53637?

The Meshtastic networking solution is susceptible to a code injection vulnerability due to insecure handling of user-controlled input in its GitHub Action workflow. The problem arises when the main_matrix.yml file is triggered by the pull_request_target event, allowing attackers to exploit extensive permissions if they fork the repository. Unauthorized code can potentially be injected into the repository during this process. This vulnerability has been addressed in version 2.6.6, underscoring the importance of updating to the latest release.

Affected Version(s)

firmware >= 2.5.3, < 2.6.6

References

https://github.com/meshtastic/firmware/security/advisorie...

x_refsource_CONFIRM

https://github.com/meshtastic/firmware/blob/3fd47d9713e7d...

x_refsource_MISC

CVSS V3.1

Score:

4.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 10, 2025
Vulnerability Reserved
Jul 7, 2025

JSON