CVE-2025-21608

Meshtastic is an open source mesh networking solution. In affected firmware versions crafted packets over MQTT are able to appear as a DM in client to a node even though they were not decoded with PKC. This issue has been addressed in version 2.5.19 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/meshtastic/firmware/security/advisories/GHSA-c967-qc39-3hf5	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:o:meshtastic:meshtastic_firmware:*:*:*:*:*:*:*:*

History

23 Sep 2025, 19:20

Type	Values Removed	Values Added
Summary		(es) Meshtastic es una solución de red de malla de código abierto. En las versiones de firmware afectadas los paquetes manipulados sobre MQTT pueden aparecer como DM en el cliente a un nodo a pesar de que no estaban decodificados con PKC. Este problema se ha abordado en la versión 2.5.19 y se recomienda a todos los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad.
CPE		cpe:2.3:o:meshtastic:meshtastic_firmware::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.3
First Time		Meshtastic meshtastic Firmware Meshtastic
References	~~() https://github.com/meshtastic/firmware/security/advisories/GHSA-c967-qc39-3hf5 -~~	() https://github.com/meshtastic/firmware/security/advisories/GHSA-c967-qc39-3hf5 - Third Party Advisory

18 Feb 2025, 19:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-02-18 19:15

Updated : 2025-09-23 19:20

NVD link : CVE-2025-21608

Mitre link : CVE-2025-21608

CVE.ORG link : CVE-2025-21608

JSON object : View

Products Affected

meshtastic

meshtastic_firmware

CWE

CWE-668

Exposure of Resource to Wrong Sphere

{"id": "CVE-2025-21608", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-02-18T19:15:25.220", "references": [{"url": "https://github.com/meshtastic/firmware/security/advisories/GHSA-c967-qc39-3hf5", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-668"}]}], "descriptions": [{"lang": "en", "value": "Meshtastic is an open source mesh networking solution. In affected firmware versions crafted packets over MQTT are able to appear as a DM in client to a node even though they were not decoded with PKC. This issue has been addressed in version 2.5.19 and all users are advised to upgrade. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "Meshtastic es una soluci\u00f3n de red de malla de c\u00f3digo abierto. En las versiones de firmware afectadas los paquetes manipulados sobre MQTT pueden aparecer como DM en el cliente a un nodo a pesar de que no estaban decodificados con PKC. Este problema se ha abordado en la versi\u00f3n 2.5.19 y se recomienda a todos los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."}], "lastModified": "2025-09-23T19:20:35.733", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:meshtastic:meshtastic_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1702F35F-4CCB-47DB-B14A-1C04E9EDA1D7", "versionEndExcluding": "2.5.19", "versionStartIncluding": "2.5.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}