CVE-2025-53637

CVE-2025-53637 is a medium-severity vulnerability in Meshtastic Meshtastic Firmware with a CVSS 3.x base score of 4.1. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-78.

Key facts

Description

Meshtastic is an open source mesh networking solution. The main_matrix.yml GitHub Action is triggered by the pull_request_target event, which has extensive permissions, and can be initiated by an attacker who forked the repository and created a pull request. In the shell code execution part, user-controlled input is interpolated unsafely into the code. If this were to be exploited, attackers could inject unauthorized code into the repository. This vulnerability is fixed in 2.6.6.

Frequently asked questions

What is CVE-2025-53637?
Meshtastic is an open source mesh networking solution. The main_matrix.yml GitHub Action is triggered by the pull_request_target event, which has extensive permissions, and can be initiated by an attacker who forked the repository and created a pull request. In the shell code execution part, user-controlled input is interpolated unsafely into the code. If this were to be exploited, attackers could inject unauthorized code into the repository. This vulnerability is fixed in 2.6.6.
How severe is CVE-2025-53637?
CVE-2025-53637 has a CVSS 3.x base score of 4.1, rated medium severity. It is exploitable over network with low attack complexity, requires low privileges and user interaction. Impact on confidentiality is low, integrity none, and availability none.
Is CVE-2025-53637 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (25th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2025-53637?
CVE-2025-53637 affects Meshtastic Meshtastic Firmware. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2025-53637?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
Does CVE-2025-53637 have an EU (EUVD) identifier?
Yes. CVE-2025-53637 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-21075.
When was CVE-2025-53637 published?
CVE-2025-53637 was published on 2025-07-10 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Meshtastic Meshtastic Firmware

All CVEs affecting Meshtastic Meshtastic Firmware →

Other CWE-78 (OS Command Injection) vulnerabilities

Browse all CWE-78 (OS Command Injection) vulnerabilities →