CVE-2024-47065
MEDIUMmeshtastic_firmware < 2.5.1 - Denial of Service via Traceroute Response Flood
Title source: llmDescription
Meshtastic is an open source mesh networking solution. Prior to 2.5.1, traceroute responses from the remote node are not rate limited. Given that there are SNR measurements attributed to each received transmission, this is a guaranteed way to get a remote station to reliably and continuously respond. You could easily get 100 samples in a short amount of time (estimated 2 minutes), whereas passively doing the same could take hours or days. There are secondary effects that non-ratelimited traceroute does also allow a 2:1 reflected DoS of the network as well, but these concerns are less than the problem with positional confidentiality (other DoS routes exist). This vulnerability is fixed in 2.5.1.
References (1)
Core 1
Core References
Exploit, Third Party Advisory x_refsource_confirm
https://github.com/meshtastic/firmware/security/advisories/GHSA-4hjx-54gf-2jh7
Scores
CVSS v3
6.5
EPSS
0.0024
EPSS Percentile
15.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-799
Status
published
Products (1)
meshtastic/meshtastic_firmware
< 2.5.1
Published
Jul 11, 2025
Tracked Since
Feb 18, 2026