CVE-2025-55293 Information

Aug 19, 2025 cve

Description

Meshtastic is an open source mesh networking solution. Prior to v2.6.3 an attacker can send NodeInfo with a empty publicKey first then overwrite it with a new key. First sending a empty key bypasses ‘if (p.public_key.size > 0) ’ clearing the existing publicKey (and resetting the size to 0) for a known node. Then a new key bypasses ‘if (info->user.public_key.size > 0) ’ and this malicious key is stored in NodeDB. This vulnerability is fixed in 2.6.3.

Reference

https://github.com/meshtastic/firmware/commit/cf7f0f9d0895602df3453a4f5cfea843f4e09744 https://github.com/meshtastic/firmware/pull/6372 https://github.com/meshtastic/firmware/security/advisories/GHSA-95pq-gj5v-4fg2

CNNVD-202508-2038 (Published: 2025-08-18)

Share on:

CVE-2025-55293 Information

Description

Reference

Related CNNVD