CRITICAL🇵🇱 Wersja polska

CVE-2025-55293

CVSS 9.4v3.1pub. 2025-08-18upd. 2025-10-17

Meshtastic is an open source mesh networking solution. Prior to v2.6.3, an attacker can send NodeInfo with a empty publicKey first, then overwrite it with a new key. First sending a empty key bypasses 'if (p.public_key.size > 0) {', clearing the existing publicKey (and resetting the size to 0) for a known node. Then a new key bypasses 'if (info->user.public_key.size > 0) {', and this malicious key is stored in NodeDB. This vulnerability is fixed in 2.6.3.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
  • Meshtastic Firmware

    OS
    Meshtastic
    < 2.6.3
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth Bypass
CWE
References

Related vulnerabilities

CVE-2025-52464CRITICAL9.5PL ✓ten sam produkt

Meshtastic Firmware: słaba entropia i duplikacja kluczy kryptograficznych

CVE-2025-24797CRITICAL9.4PL ✓ten sam produkt

RCE przez buffer overflow w obsłudze pakietów protobuf w Meshtastic Firmware

CVE-2025-55292HIGH8.2ten sam produkt

Meshtastic is an open source mesh networking solution. In the current Meshtastic architecture, a Node is ident...

CVE-2024-47078HIGH8.1ten sam produkt

Meshtastic is an open source, off-grid, decentralized, mesh network. Meshtastic uses MQTT to communicate over ...

CVE-2024-45038HIGH7.5ten sam produkt

Meshtastic device firmware is a firmware for meshtastic devices to run an open source, off-grid, decentralized...