CVE-2025-53637

MEDIUM

meshtastic_firmware < 2.6.6 - OS Command Injection via GitHub Action Workflow

Title source: llm

Description

Meshtastic is an open source mesh networking solution. The main_matrix.yml GitHub Action is triggered by the pull_request_target event, which has extensive permissions, and can be initiated by an attacker who forked the repository and created a pull request. In the shell code execution part, user-controlled input is interpolated unsafely into the code. If this were to be exploited, attackers could inject unauthorized code into the repository. This vulnerability is fixed in 2.6.6.

References (2)

Core 2

Core References

Third Party Advisory x_refsource_confirm

https://github.com/meshtastic/firmware/security/advisories/GHSA-6mwm-v2vv-pp96

Product x_refsource_misc

https://github.com/meshtastic/firmware/blob/3fd47d9713e7d1b6866c48cf218e2435741651a2/.github/workflows/main_matrix.yml#L34-L41

View Writeup ZIP pw:eip

Scores

CVSS v3 4.1

EPSS 0.0033

EPSS Percentile 24.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-78

Status published

Products (1)

meshtastic/meshtastic_firmware < 2.6.6

Published Jul 10, 2025

Tracked Since Feb 18, 2026