CVE-2025-53637

Meshtastic is an open source mesh networking solution. The main_matrix.yml GitHub Action is triggered by the pull_request_target event, which has extensive permissions, and can be initiated by an attacker who forked the repository and created a pull request. In the shell code execution part, user-controlled input is interpolated unsafely into the code. If this were to be exploited, attackers could inject unauthorized code into the repository. This vulnerability is fixed in 2.6.6.

CVSS v3 4.1 MEDIUM

4.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.3 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/meshtastic/firmware/blob/3fd47d9713e7d1b6866c48cf218e2435741651a2/.github/workflows/main_matrix.yml#L34-L41
https://github.com/meshtastic/firmware/security/advisories/GHSA-6mwm-v2vv-pp96

Configurations

No configuration.

History

15 Jul 2025, 13:14

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-07-10 22:15

Updated : 2025-07-15 13:14

NVD link : CVE-2025-53637

Mitre link : CVE-2025-53637

CVE.ORG link : CVE-2025-53637

JSON object : View

Products Affected

No product.

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

{"id": "CVE-2025-53637", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.3}]}, "published": "2025-07-10T22:15:24.580", "references": [{"url": "https://github.com/meshtastic/firmware/blob/3fd47d9713e7d1b6866c48cf218e2435741651a2/.github/workflows/main_matrix.yml#L34-L41", "source": "security-advisories@github.com"}, {"url": "https://github.com/meshtastic/firmware/security/advisories/GHSA-6mwm-v2vv-pp96", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-78"}]}], "descriptions": [{"lang": "en", "value": "Meshtastic is an open source mesh networking solution. The main_matrix.yml GitHub Action is triggered by the pull_request_target event, which has extensive permissions, and can be initiated by an attacker who forked the repository and created a pull request. In the shell code execution part, user-controlled input is interpolated unsafely into the code. If this were to be exploited, attackers could inject unauthorized code into the repository. This vulnerability is fixed in 2.6.6."}, {"lang": "es", "value": "Meshtastic es una soluci\u00f3n de red en malla de c\u00f3digo abierto. La acci\u00f3n de GitHub main_matrix.yml se activa mediante el evento pull_request_target, que cuenta con amplios permisos y puede ser iniciada por un atacante que bifurc\u00f3 el repositorio y cre\u00f3 una solicitud de extracci\u00f3n. En la ejecuci\u00f3n del c\u00f3digo de shell, la entrada controlada por el usuario se interpola de forma insegura en el c\u00f3digo. Si se explotara esta vulnerabilidad, los atacantes podr\u00edan inyectar c\u00f3digo no autorizado en el repositorio. Esta vulnerabilidad se corrigi\u00f3 en la versi\u00f3n 2.6.6."}], "lastModified": "2025-07-15T13:14:49.980", "sourceIdentifier": "security-advisories@github.com"}