Lucene search
+L
MeshtasticMeshtastic Firmware

13 matches found

CVE
CVE
added 2025/04/14 11:25 p.m.178 views

CVE-2025-24797

CVE-2025-24797 concerns Meshtastic, an open-source mesh networking solution. A fault in handling mesh packets containing invalid protobuf data can cause an attacker-controlled buffer overflow, hijacking execution flow and potentially enabling remote code execution. The root cause, as described in...

9.8CVSS9.8AI score0.00861EPSS
CVE
CVE
added 2025/06/19 3:10 p.m.97 views

CVE-2025-52464

Meshtastic versions 2.5.0–2.6.10 expose a vulnerability where flashing procedures can duplicate public/private keys and the RNG may have low entropy, allowing an attacker to decrypt Direct Messages after collecting compromised keys. This is caused by key generation timing and insufficient randomn...

9.5CVSS6.3AI score0.00418EPSS
CVE
CVE
added 2025/02/18 6:17 p.m.81 views

CVE-2025-21608

CVE-2025-21608 affects Meshtastic firmware; forged packets over MQTT can be shown as direct messages in a client to a node because PKC decoding failed. Root cause: packets crafted over MQTT were not decoded with PKC, enabling visibility of a DM in the client. Impact is described as partial (integ...

5.3CVSS6.9AI score0.00359EPSS
CVE
CVE
added 2025/12/29 4:18 p.m.72 views

CVE-2025-53627

Meshtastic firmware (from version 2.5) can fall back to legacy AES-256-CTR if the pki_encrypted flag is missing, undermining PKI end-to-end direct messages. The downgrade path allows adversaries with a shared channel key to inject spoofed DMs that appear PKI-encrypted to end-user apps (Web, iOS/A...

5.3CVSS6.4AI score0.00191EPSS
CVE
CVE
added 2024/08/27 8:36 p.m.57 views

CVE-2024-45038

Summary (CVE-2024-45038) : The vulnerability is a denial-of-service in the MQTT handling of the Meshtastic device firmware prior to version 2.4.1. The fix is in Meshtastic firmware version 2.4.1 and on the Meshtastic public MQTT Broker. Affected product: Meshtastic device firmware (pre-2.4.1). Im...

7.5CVSS7.6AI score0.00596EPSS
CVE
CVE
added 2024/11/04 11:0 p.m.57 views

CVE-2024-51500

The CVE-2024-51500 entry affects Meshtastic firmware. Description details that the firmware does not inspect packets from the special broadcast address 0xFFFFFFFF, enabling a malicious actor to craft a broadcast-like packet that amplifies a single message into multiple messages across every node,...

7.5CVSS5.2AI score0.00401EPSS
CVE
CVE
added 2024/10/07 7:55 p.m.53 views

CVE-2024-47079

The CVE-2024-47079 entry concerns Meshtastic firmware where the remote hardware module failed to validate incoming remote hardware control messages. Root cause: the validation checks were missing, allowing unauthorized usage of the remote hardware module. Impact: as described, potential improper ...

6.4CVSS6.4AI score0.00194EPSS
CVE
CVE
added 2024/09/25 3:32 p.m.52 views

CVE-2024-47078

Meshtastic firmware prior to 2.5.1 contains weaknesses in the MQTT implementation that bypass authentication and authorization, allowing unauthorized control of MQTT-connected nodes. Version 2.5.1 patches the issue. Practical impact: unauthorized access/control via MQTT. Remediation: upgrade to 2...

9.8CVSS8AI score0.00464EPSS
CVE
CVE
added 2025/08/18 5:24 p.m.32 views

CVE-2025-55293

Meshtastic (vulnerable before 2.6.3) allows crafting NodeInfo packets to overwrite a known node’s publicKey in NodeDB. Attack flow: first send NodeInfo with an empty publicKey to bypass size checks (clears existing key), then send a new key that gets stored. Root cause is improper handling of emp...

9.8CVSS6.2AI score0.00394EPSS
CVE
CVE
added 2025/07/10 9:22 p.m.27 views

CVE-2025-24798

CVE-2025-24798 – Meshtastic : Affects Meshtastic Open Source firmware versions 1.2.1 through 2.6.2. A crafted packet sent to the routing module with want_response==true can crash the router, causing degradation of service for nodes within range and potentially affecting MQTT downlinks. Root cause...

6.5CVSS6.5AI score0.00375EPSS
CVE
CVE
added 2025/07/11 5:0 p.m.24 views

CVE-2024-47065

CVE-2024-47065 affects Meshtastic before version 2.5.1, where traceroute responses from remote nodes were not rate limited. This allows rapid, repeated responses (approximately 100 samples in ~2 minutes) and can enable a 2:1 reflected DoS, with positional confidentiality concerns highlighted as a...

6.9CVSS7AI score0.00242EPSS
CVE
CVE
added 2026/01/27 11:28 p.m.22 views

CVE-2025-55292

CVE-2025-55292 affects Meshtastic, where NodeIDs are derived from MAC addresses instead of public keys, enabling an attacker to forge a NodeInfo and advertise HAM mode (which lacks encryption). This allows other mesh nodes to accept the forged information, overwrite the NodeDB, and route direct m...

8.2CVSS5.9AI score0.00134EPSS
CVE
CVE
added 2025/07/10 9:31 p.m.21 views

CVE-2025-53637

Summary: CVE-2025-53637 affects Meshtastic open-source firmware; the issue resides in the main_matrix.yml GitHub Action, where user input is interpolated unsafely in shell code. This can be triggered by a attacker who forks the repository and opens a pull request via pull_request_target, leveragi...

8CVSS6.9AI score0.00328EPSS