CVE-2025-53637
HIGH EPSS 24.6%
Published Jul 10, 202511mo ago · Modified Jun 17, 20262w ago
8.0 CVSS 3.1
Published Jul 10, 2025 11mo ago
Last Modified Jun 17, 2026 2w ago
Description
Meshtastic is an open source mesh networking solution. The main_matrix.yml GitHub Action is triggered by the pull_request_target event, which has extensive permissions, and can be initiated by an attacker who forked the repository and created a pull request. In the shell code execution part, user-controlled input is interpolated unsafely into the code. If this were to be exploited, attackers could inject unauthorized code into the repository. This vulnerability is fixed in 2.6.6.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction Required
Scope Unchanged
Confidentiality High
Integrity High
Availability High
Threat Intelligence
EPSS Exploit Probability
24.6% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available
Weaknesses 1
CWE-78 OS Command Injection Injection
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| meshtastic | meshtastic_firmware | * | <2.6.6 |
References 2
- github.com https://github.com/meshtastic/firmware/blob/3fd47d9713e7d1b6866c48cf218e2435741651a2/.github/workflows/main_matrix.yml#L34-L41
- github.com https://github.com/meshtastic/firmware/security/advisories/GHSA-6mwm-v2vv-pp96
Remediation
No remediation data recorded yet
Check vendor advisories and the NVD entry for patch availability.