Unrated severityNVD Advisory· Published Jul 10, 2025· Updated Jul 11, 2025

Meshtastic allows Command Injection in GitHub Action

CVE-2025-53637

Description

Meshtastic is an open source mesh networking solution. The main_matrix.yml GitHub Action is triggered by the pull_request_target event, which has extensive permissions, and can be initiated by an attacker who forked the repository and created a pull request. In the shell code execution part, user-controlled input is interpolated unsafely into the code. If this were to be exploited, attackers could inject unauthorized code into the repository. This vulnerability is fixed in 2.6.6.

Affected products

Meshtastic/Firmwarev5
Range: >= 2.5.3, < 2.6.6

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/meshtastic/firmware/blob/3fd47d9713e7d1b6866c48cf218e2435741651a2/.github/workflows/main_matrix.ymlmitrex_refsource_MISC
github.com/meshtastic/firmware/security/advisories/GHSA-6mwm-v2vv-pp96mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000