CVE-2025-55293

Critical CVSS: 9.4

Meshtastic is an open source mesh networking solution. Prior to v2.6.3, an attacker can send NodeInfo with a empty publicKey first, then overwrite it with a new key. First sending a empty key bypasses 'if (p.public_key.size > 0) {', clearing the existing publicKey (and resetting the size to 0) for a known node. Then a new key bypasses 'if (info->user.public_key.size > 0) {', and this malicious key is stored in NodeDB. This vulnerability is fixed in 2.6.3.

Vendor

Meshtastic

Product

Meshtastic Firmware

CWE

CWE-287

Yayın Tarihi

2025-08-18 18:15:39

Güncelleme

2025-10-17 17:48:30

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-287 Meshtastic Firmware CRITICAL Meshtastic 2025

Referanslar

https://github.com/meshtastic/firmware/commit/cf7f0f9d0895602df3453a4f5cfea843f4e09744 https://github.com/meshtastic/firmware/pull/6372 https://github.com/meshtastic/firmware/security/advisories/GHSA-95pq-gj5v-4fg2

Benzer Kayıtlar

High

CVE-2025-55292

Meshtastic is an open source mesh networking solution. In the current Meshtastic architecture, a Node is identified by t…

Medium

CVE-2025-53627

Meshtastic is an open source mesh networking solution. The Meshtastic firmware (starting from version 2.5) introduces as…

Low

CVE-2024-47065

Meshtastic is an open source mesh networking solution. Prior to 2.5.1, traceroute responses from the remote node are not…

Medium

CVE-2025-24798

Meshtastic is an open source mesh networking solution. From 1.2.1 until 2.6.2, a packet sent to the routing module that…

Medium

CVE-2025-53637

Meshtastic is an open source mesh networking solution. The main_matrix.yml GitHub Action is triggered by the pull_reques…

Critical

CVE-2025-52464

Meshtastic is an open source mesh networking solution. In versions from 2.5.0 to before 2.6.11, the flashing procedure o…