CVE-2025-55293 (GCVE-0-2025-55293)
Vulnerability from cvelistv5 – Published: 2025-08-18 17:24 – Updated: 2025-08-18 17:41
VLAI?
Title
Meshtastic allows crafting of specific NodeInfo packets that overwrite any publicKey saved in the NodeDB
Summary
Meshtastic is an open source mesh networking solution. Prior to v2.6.3, an attacker can send NodeInfo with a empty publicKey first, then overwrite it with a new key. First sending a empty key bypasses 'if (p.public_key.size > 0) {', clearing the existing publicKey (and resetting the size to 0) for a known node. Then a new key bypasses 'if (info->user.public_key.size > 0) {', and this malicious key is stored in NodeDB. This vulnerability is fixed in 2.6.3.
Severity ?
9.4 (Critical)
CWE
- CWE-287 - Improper Authentication
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| meshtastic | firmware |
Affected:
< 2.6.3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-55293",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-18T17:41:12.799937Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-18T17:41:25.082Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "firmware",
"vendor": "meshtastic",
"versions": [
{
"status": "affected",
"version": "\u003c 2.6.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Meshtastic is an open source mesh networking solution. Prior to v2.6.3, an attacker can send NodeInfo with a empty publicKey first, then overwrite it with a new key. First sending a empty key bypasses \u0027if (p.public_key.size \u003e 0) {\u0027, clearing the existing publicKey (and resetting the size to 0) for a known node. Then a new key bypasses \u0027if (info-\u003euser.public_key.size \u003e 0) {\u0027, and this malicious key is stored in NodeDB. This vulnerability is fixed in 2.6.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-18T17:24:35.254Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/meshtastic/firmware/security/advisories/GHSA-95pq-gj5v-4fg2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/meshtastic/firmware/security/advisories/GHSA-95pq-gj5v-4fg2"
},
{
"name": "https://github.com/meshtastic/firmware/pull/6372",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/meshtastic/firmware/pull/6372"
},
{
"name": "https://github.com/meshtastic/firmware/commit/cf7f0f9d0895602df3453a4f5cfea843f4e09744",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/meshtastic/firmware/commit/cf7f0f9d0895602df3453a4f5cfea843f4e09744"
}
],
"source": {
"advisory": "GHSA-95pq-gj5v-4fg2",
"discovery": "UNKNOWN"
},
"title": "Meshtastic allows crafting of specific NodeInfo packets that overwrite any publicKey saved in the NodeDB"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-55293",
"datePublished": "2025-08-18T17:24:35.254Z",
"dateReserved": "2025-08-12T16:15:30.237Z",
"dateUpdated": "2025-08-18T17:41:25.082Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-55293\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-08-18T18:15:39.590\",\"lastModified\":\"2025-10-17T17:48:30.923\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Meshtastic is an open source mesh networking solution. Prior to v2.6.3, an attacker can send NodeInfo with a empty publicKey first, then overwrite it with a new key. First sending a empty key bypasses \u0027if (p.public_key.size \u003e 0) {\u0027, clearing the existing publicKey (and resetting the size to 0) for a known node. Then a new key bypasses \u0027if (info-\u003euser.public_key.size \u003e 0) {\u0027, and this malicious key is stored in NodeDB. This vulnerability is fixed in 2.6.3.\"},{\"lang\":\"es\",\"value\":\"Meshtastic es una soluci\u00f3n de red en malla de c\u00f3digo abierto. Antes de la versi\u00f3n 2.6.3, un atacante pod\u00eda enviar NodeInfo con una clave p\u00fablica vac\u00eda y luego sobrescribirla con una nueva. El env\u00edo de una clave vac\u00eda omite \\\"if (p.public_key.size \u0026gt; 0) {\\\", borrando la clave p\u00fablica existente (y restableciendo el tama\u00f1o a 0) para un nodo conocido. A continuaci\u00f3n, una nueva clave omite \\\"if (info-\u0026gt;user.public_key.size \u0026gt; 0) {\\\", y esta clave maliciosa se almacena en NodeDB. Esta vulnerabilidad se corrigi\u00f3 en la versi\u00f3n 2.6.3.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L\",\"baseScore\":9.4,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":5.5},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-287\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:meshtastic:meshtastic_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.6.3\",\"matchCriteriaId\":\"F1F1161D-D34D-4B3A-873A-95D46219EE5D\"}]}]}],\"references\":[{\"url\":\"https://github.com/meshtastic/firmware/commit/cf7f0f9d0895602df3453a4f5cfea843f4e09744\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/meshtastic/firmware/pull/6372\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Issue Tracking\",\"Patch\"]},{\"url\":\"https://github.com/meshtastic/firmware/security/advisories/GHSA-95pq-gj5v-4fg2\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-55293\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-08-18T17:41:12.799937Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-08-18T17:41:16.037Z\"}}], \"cna\": {\"title\": \"Meshtastic allows crafting of specific NodeInfo packets that overwrite any publicKey saved in the NodeDB\", \"source\": {\"advisory\": \"GHSA-95pq-gj5v-4fg2\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.4, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"meshtastic\", \"product\": \"firmware\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 2.6.3\"}]}], \"references\": [{\"url\": \"https://github.com/meshtastic/firmware/security/advisories/GHSA-95pq-gj5v-4fg2\", \"name\": \"https://github.com/meshtastic/firmware/security/advisories/GHSA-95pq-gj5v-4fg2\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/meshtastic/firmware/pull/6372\", \"name\": \"https://github.com/meshtastic/firmware/pull/6372\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/meshtastic/firmware/commit/cf7f0f9d0895602df3453a4f5cfea843f4e09744\", \"name\": \"https://github.com/meshtastic/firmware/commit/cf7f0f9d0895602df3453a4f5cfea843f4e09744\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Meshtastic is an open source mesh networking solution. Prior to v2.6.3, an attacker can send NodeInfo with a empty publicKey first, then overwrite it with a new key. First sending a empty key bypasses \u0027if (p.public_key.size \u003e 0) {\u0027, clearing the existing publicKey (and resetting the size to 0) for a known node. Then a new key bypasses \u0027if (info-\u003euser.public_key.size \u003e 0) {\u0027, and this malicious key is stored in NodeDB. This vulnerability is fixed in 2.6.3.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-287\", \"description\": \"CWE-287: Improper Authentication\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-08-18T17:24:35.254Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-55293\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-08-18T17:41:25.082Z\", \"dateReserved\": \"2025-08-12T16:15:30.237Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-08-18T17:24:35.254Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…