Meshtastic is an open source mesh networking solution. Prior to v2.6.3, an attacker can send NodeInfo with a empty publicKey first, then overwrite it with a new key. First sending a empty key bypasses 'if (p.public_key.size > 0) {', clearing the existing publicKey (and resetting the size to 0) for a known node. Then a new key bypasses 'if (info->user.public_key.size > 0) {', and this malicious key is stored in NodeDB. This vulnerability is fixed in 2.6.3.
References
Link | Resource |
---|---|
https://github.com/meshtastic/firmware/commit/cf7f0f9d0895602df3453a4f5cfea843f4e09744 | Patch |
https://github.com/meshtastic/firmware/pull/6372 | Patch Issue Tracking |
https://github.com/meshtastic/firmware/security/advisories/GHSA-95pq-gj5v-4fg2 | Vendor Advisory |
Configurations
History
17 Oct 2025, 17:48
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:o:meshtastic:meshtastic_firmware:*:*:*:*:*:*:*:* | |
Summary |
|
|
CWE | NVD-CWE-noinfo | |
References | () https://github.com/meshtastic/firmware/commit/cf7f0f9d0895602df3453a4f5cfea843f4e09744 - Patch | |
References | () https://github.com/meshtastic/firmware/pull/6372 - Patch, Issue Tracking | |
References | () https://github.com/meshtastic/firmware/security/advisories/GHSA-95pq-gj5v-4fg2 - Vendor Advisory | |
First Time |
Meshtastic meshtastic Firmware
Meshtastic |
18 Aug 2025, 18:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2025-08-18 18:15
Updated : 2025-10-17 17:48
NVD link : CVE-2025-55293
Mitre link : CVE-2025-55293
CVE.ORG link : CVE-2025-55293
JSON object : View
Products Affected
meshtastic
- meshtastic_firmware
CWE