CVE-2025-53637

Meshtastic is an open source mesh networking solution. The main_matrix.yml GitHub Action is triggered by the pull_request_target event, which has extensive permissions, and can be initiated by an attacker who forked the repository and created a pull request. In the shell code execution part, user-controlled input is interpolated unsafely into the code. If this were to be exploited, attackers could inject unauthorized code into the repository. This vulnerability is fixed in 2.6.6.

CVSS v3 4.1 MEDIUM

4.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.3 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/meshtastic/firmware/blob/3fd47d9713e7d1b6866c48cf218e2435741651a2/.github/workflows/main_matrix.yml#L34-L41	Product
https://github.com/meshtastic/firmware/security/advisories/GHSA-6mwm-v2vv-pp96	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:o:meshtastic:meshtastic_firmware:*:*:*:*:*:*:*:*

History

22 Aug 2025, 16:02

Type	Values Removed	Values Added
CPE		cpe:2.3:o:meshtastic:meshtastic_firmware::::::::
First Time		Meshtastic meshtastic Firmware Meshtastic
References	~~() https://github.com/meshtastic/firmware/blob/3fd47d9713e7d1b6866c48cf218e2435741651a2/.github/workflows/main_matrix.yml#L34-L41 -~~	() https://github.com/meshtastic/firmware/blob/3fd47d9713e7d1b6866c48cf218e2435741651a2/.github/workflows/main_matrix.yml#L34-L41 - Product
References	~~() https://github.com/meshtastic/firmware/security/advisories/GHSA-6mwm-v2vv-pp96 -~~	() https://github.com/meshtastic/firmware/security/advisories/GHSA-6mwm-v2vv-pp96 - Third Party Advisory

15 Jul 2025, 13:14

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-07-10 22:15

Updated : 2025-08-22 16:02

NVD link : CVE-2025-53637

Mitre link : CVE-2025-53637

CVE.ORG link : CVE-2025-53637

JSON object : View

Products Affected

meshtastic

meshtastic_firmware

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

{"id": "CVE-2025-53637", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.3}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.0, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.1}]}, "published": "2025-07-10T22:15:24.580", "references": [{"url": "https://github.com/meshtastic/firmware/blob/3fd47d9713e7d1b6866c48cf218e2435741651a2/.github/workflows/main_matrix.yml#L34-L41", "tags": ["Product"], "source": "security-advisories@github.com"}, {"url": "https://github.com/meshtastic/firmware/security/advisories/GHSA-6mwm-v2vv-pp96", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-78"}]}], "descriptions": [{"lang": "en", "value": "Meshtastic is an open source mesh networking solution. The main_matrix.yml GitHub Action is triggered by the pull_request_target event, which has extensive permissions, and can be initiated by an attacker who forked the repository and created a pull request. In the shell code execution part, user-controlled input is interpolated unsafely into the code. If this were to be exploited, attackers could inject unauthorized code into the repository. This vulnerability is fixed in 2.6.6."}, {"lang": "es", "value": "Meshtastic es una soluci\u00f3n de red en malla de c\u00f3digo abierto. La acci\u00f3n de GitHub main_matrix.yml se activa mediante el evento pull_request_target, que cuenta con amplios permisos y puede ser iniciada por un atacante que bifurc\u00f3 el repositorio y cre\u00f3 una solicitud de extracci\u00f3n. En la ejecuci\u00f3n del c\u00f3digo de shell, la entrada controlada por el usuario se interpola de forma insegura en el c\u00f3digo. Si se explotara esta vulnerabilidad, los atacantes podr\u00edan inyectar c\u00f3digo no autorizado en el repositorio. Esta vulnerabilidad se corrigi\u00f3 en la versi\u00f3n 2.6.6."}], "lastModified": "2025-08-22T16:02:16.093", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:meshtastic:meshtastic_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CB44176B-8A75-41E4-BE44-4555A24CCA18", "versionEndExcluding": "2.6.6"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}