Meshtastic Firmware vulnerabilities
13 known vulnerabilities affecting meshtastic/meshtastic_firmware.
Total CVEs
13
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL3HIGH5MEDIUM5
Vulnerabilities
Page 1 of 1
CVE-2025-24797P2CRITICALCVSS 9.8fixed in 2.6.22025-04-15
CVE-2025-24797 [CRITICAL] CWE-119 CVE-2025-24797: Meshtastic is an open source mesh networking solution. A fault in the handling of mesh packets conta
Meshtastic is an open source mesh networking solution. A fault in the handling of mesh packets containing invalid protobuf data can result in an attacker-controlled buffer overflow, allowing an attacker to hijack execution flow, potentially resulting in remote code execution. This attack does not require authentication or user interaction, as long
nvd
CVE-2024-47078P3CRITICALCVSS 9.8fixed in 2.5.12024-09-25
CVE-2024-47078 [CRITICAL] CWE-287 CVE-2024-47078: Meshtastic is an open source, off-grid, decentralized, mesh network. Meshtastic uses MQTT to communi
Meshtastic is an open source, off-grid, decentralized, mesh network. Meshtastic uses MQTT to communicate over an internet connection to a shared or private MQTT Server. Nodes can communicate directly via an internet connection or proxied through a connected phone (i.e., via bluetooth). Prior to version 2.5.1, multiple weaknesses in the MQTT implem
nvd
CVE-2025-55293P3CRITICALCVSS 9.8fixed in 2.6.32025-08-18
CVE-2025-55293 [CRITICAL] CWE-287 CVE-2025-55293: Meshtastic is an open source mesh networking solution. Prior to v2.6.3, an attacker can send NodeInf
Meshtastic is an open source mesh networking solution. Prior to v2.6.3, an attacker can send NodeInfo with a empty publicKey first, then overwrite it with a new key. First sending a empty key bypasses 'if (p.public_key.size > 0) {', clearing the existing publicKey (and resetting the size to 0) for a known node. Then a new key bypasses 'if (info->u
nvd
CVE-2025-52464P3HIGHCVSS 8.3≥ 2.5.0, < 2.6.112025-06-19
CVE-2025-52464 [HIGH] CWE-331 CVE-2025-52464: Meshtastic is an open source mesh networking solution. In versions from 2.5.0 to before 2.6.11, the
Meshtastic is an open source mesh networking solution. In versions from 2.5.0 to before 2.6.11, the flashing procedure of several hardware vendors was resulting in duplicated public/private keys. Additionally, the Meshtastic was failing to properly initialize the internal randomness pool on some platforms, leading to possible low-entropy key generation
nvd
CVE-2025-55292P3HIGHCVSS 8.2fixed in 2.7.62026-01-28
CVE-2025-55292 [HIGH] CWE-348 CVE-2025-55292: Meshtastic is an open source mesh networking solution. In the current Meshtastic architecture, a Nod
Meshtastic is an open source mesh networking solution. In the current Meshtastic architecture, a Node is identified by their NodeID, generated from the MAC address, rather than their public key. This aspect downgrades the security, specifically by abusing the HAM mode which doesn't use encryption. An attacker can, as such, forge a NodeInfo on behalf o
nvd
CVE-2025-53637P3HIGHCVSS 8.0fixed in 2.6.62025-07-10
CVE-2025-53637 [HIGH] CWE-78 CVE-2025-53637: Meshtastic is an open source mesh networking solution. The main_matrix.yml GitHub Action is triggere
Meshtastic is an open source mesh networking solution. The main_matrix.yml GitHub Action is triggered by the pull_request_target event, which has extensive permissions, and can be initiated by an attacker who forked the repository and created a pull request. In the shell code execution part, user-controlled input is interpolated unsafely into the code.
nvd
CVE-2024-45038P3HIGHCVSS 7.5fixed in 2.4.12024-08-27
CVE-2024-45038 [HIGH] CWE-755 CVE-2024-45038: Meshtastic device firmware is a firmware for meshtastic devices to run an open source, off-grid, dec
Meshtastic device firmware is a firmware for meshtastic devices to run an open source, off-grid, decentralized, mesh network built to run on affordable, low-power devices. Meshtastic device firmware is subject to a denial of serivce vulnerability in MQTT handling, fixed in version 2.4.1 of the Meshtastic firmware and on the Meshtastic public MQTT Brok
nvd
CVE-2024-51500P3HIGHCVSS 7.5fixed in 2.5.62024-11-04
CVE-2024-51500 [HIGH] CWE-138 CVE-2024-51500: Meshtastic firmware is a device firmware for the Meshtastic project. The Meshtastic firmware does no
Meshtastic firmware is a device firmware for the Meshtastic project. The Meshtastic firmware does not check for packets claiming to be from the special broadcast address (0xFFFFFFFF) which could result in unexpected behavior and potential for DDoS attacks on the network. A malicious actor could craft a packet to be from that address which would result
nvd
CVE-2024-47065P3MEDIUMCVSS 6.5fixed in 2.5.12025-07-11
CVE-2024-47065 [MEDIUM] CWE-799 CVE-2024-47065: Meshtastic is an open source mesh networking solution. Prior to 2.5.1, traceroute responses from the
Meshtastic is an open source mesh networking solution. Prior to 2.5.1, traceroute responses from the remote node are not rate limited. Given that there are SNR measurements attributed to each received transmission, this is a guaranteed way to get a remote station to reliably and continuously respond. You could easily get 100 samples in a short amoun
nvd
CVE-2024-47079P4MEDIUMCVSS 6.4fixed in 2.5.12024-10-07
CVE-2024-47079 [MEDIUM] CWE-345 CVE-2024-47079: Meshtastic is an open source, off-grid, decentralized, mesh network built to run on affordable, low-
Meshtastic is an open source, off-grid, decentralized, mesh network built to run on affordable, low-power devices. Meshtastic firmware is an open source firmware implementation for the broader project. The remote hardware module of the firmware does not have proper checks to ensure a remote hardware control message was received should be considered
nvd
CVE-2025-21608P4MEDIUMCVSS 5.3≥ 2.5.0, < 2.5.192025-02-18
CVE-2025-21608 [MEDIUM] CWE-668 CVE-2025-21608: Meshtastic is an open source mesh networking solution. In affected firmware versions crafted packets
Meshtastic is an open source mesh networking solution. In affected firmware versions crafted packets over MQTT are able to appear as a DM in client to a node even though they were not decoded with PKC. This issue has been addressed in version 2.5.19 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
nvd
CVE-2025-53627P4MEDIUMCVSS 5.3≥ 2.5.0, < 2.7.152025-12-29
CVE-2025-53627 [MEDIUM] CWE-1287 CVE-2025-53627: Meshtastic is an open source mesh networking solution. The Meshtastic firmware (starting from versio
Meshtastic is an open source mesh networking solution. The Meshtastic firmware (starting from version 2.5) introduces asymmetric encryption (PKI) for direct messages, but when the `pki_encrypted` flag is missing, the firmware silently falls back to legacy AES-256-CTR channel encryption. This was an intentional decision to maintain backwards compati
nvd
CVE-2025-24798P4MEDIUMCVSS 6.5≥ 1.2.1, < 2.6.22025-07-10
CVE-2025-24798 [MEDIUM] CWE-617 CVE-2025-24798: Meshtastic is an open source mesh networking solution. From 1.2.1 until 2.6.2, a packet sent to the
Meshtastic is an open source mesh networking solution. From 1.2.1 until 2.6.2, a packet sent to the routing module that contains want_response==true causes a crash. This can lead to a degradation of service for nodes within range of a malicious sender, or via MQTT if downlink is enabled. This vulnerability is fixed in 2.6.2.
nvd