Security Flaw in Meshtastic Networking Solution Affects User Public Key Management
CVE-2025-55293

9.4CRITICAL

Key Information:

Vendor

Meshtastic

Status
Firmware
Vendor
CVE Published:
18 August 2025

What is CVE-2025-55293?

Meshtastic, an open source mesh networking solution, contains a vulnerability that allows an attacker to exploit the public key management system. Specifically, prior to version 2.6.3, an attacker can send a NodeInfo message with an empty publicKey, which subsequently clears the existing key for a known node. This enables the malware to bypass security checks and store a malicious public key in the NodeDB, compromising the integrity and security of the networking device. The issue has been addressed in version 2.6.3, making it crucial for users to upgrade to this version to ensure security.

Affected Version(s)

firmware < 2.6.3

References

https://github.com/meshtastic/firmware/security/advisorie...
x_refsource_CONFIRM
https://github.com/meshtastic/firmware/pull/6372
x_refsource_MISC
https://github.com/meshtastic/firmware/commit/cf7f0f9d089...
x_refsource_MISC

CVSS V3.1

Score:
9.4
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-55293 : Security Flaw in Meshtastic Networking Solution Affects User Public Key Management