Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-53637

Meshtastic is an open source mesh networking solution. The main_matrix.yml GitHub Action is triggered by the pull_request_target event, which has extensive permissions, and can be initiated by an attacker who forked the repository and created a pull request. In the shell code execution part, user-controlled input is interpolated unsafely into the code. If this were to be exploited, attackers could inject unauthorized code into the repository. This vulnerability is fixed in 2.6.6.

Published

2025-07-10T22:15:24.580

Last Modified

2025-08-22T16:02:16.093

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 4.1 (MEDIUM)

Weaknesses

Type: Primary
CWE-78

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Operating System	meshtastic	meshtastic_firmware	< 2.6.6	Yes

References

https://github.com/meshtastic/firmware/blob/3fd47d9713e7d1b6866c48cf218e2435741651a2/.github/workflows/main_matrix.yml#L34-L41 Product ([email protected])
https://github.com/meshtastic/firmware/security/advisories/GHSA-6mwm-v2vv-pp96 Third Party Advisory ([email protected])