CNNVD-202507-1564 Information
CNNVD ID
CNNVD-202507-1564
Related CVE
- CNNVD Published: 2025-07-10
Description (Chinese)
Meshtastic device firmware是Meshtastic开源的一种用于 Meshtastic 设备运行开源、离网、去中心化网状网络的固件。 Meshtastic device firmware 2.6.6之前版本存在操作系统命令注入漏洞,该漏洞源于main_matrix.yml GitHub Action中用户输入不安全地插入代码,可能导致注入未授权代码。
Description (English)
Meshtastic device firmware is a solid device for the Meshtastic open source, off-grid, decentralised network for Meshtastic devices. The previous version of Meshtastic device firmware 2.6.6 contains a loophole in the operating system command, which results from the unsafe insertion of code by the user in the main matrix.yml GitHub Action, which may result in the injection of an unauthorized code.
Hazard Level
High
Vulnerability Type
操作系统命令注入
Affected Vendor
MessagePack
Published
2025-07-10
Last Modified
2026-02-24
References
https://github.com/meshtastic/firmware/blob/3fd47d9713e7d1b6866c48cf218e2435741651a2/.github/workflows/main_matrix.yml#L34-L41 https://github.com/meshtastic/firmware/security/advisories/GHSA-6mwm-v2vv-pp96 https://nvd.nist.gov/vuln/detail/CVE-2025-53637 https://access.redhat.com/security/cve/cve-2025-53637
Patch
https://github.com/meshtastic/firmware/releases
Share on: