CVE-2025-53627
- Source
- https://cve.org/CVERecord?id=CVE-2025-53627
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-53627.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-53627
- Aliases
-
- GHSA-377p-prwp-4hwf
- Published
- 2025-12-29T16:18:29.680Z
- Modified
- 2026-04-12T17:41:42.972307Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
- Summary
- Meshtastic firmware allows forged DMs with no PKC to show up as encrypted
- Details
-
Meshtastic is an open source mesh networking solution. The Meshtastic firmware (starting from version 2.5) introduces asymmetric encryption (PKI) for direct messages, but when the
pki_encryptedflag is missing, the firmware silently falls back to legacy AES-256-CTR channel encryption. This was an intentional decision to maintain backwards compatibility. However, the end-user applications, like Web app, iOS/Android app, and applications built on top of Meshtastic using the SDK, did not have a way to differentiate between end-to-end encrypted DMs and the legacy DMs. This creates a downgrade attack path where adversaries who know a shared channel key can craft and inject spoofed direct messages that are displayed as if they were PKC encrypted. Users are not given any feedback of whether a direct message was decrypted with PKI or with legacy symmetric encryption, undermining the expected security guarantees of the PKI rollout. Version 2.7.15 fixes this issue. - Database specific
{ "cwe_ids": [ "CWE-1287" ], "cna_assigner": "GitHub_M", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/53xxx/CVE-2025-53627.json" }- References
Affected packages
Git / github.com/meshtastic/firmware
Affected versions
0.*
0.0.3
0.1.10
0.1.6
0.1.7
0.1.8
0.1.9
0.2.0
0.2.3
0.4.1
0.4.2
0.4.3
0.6.0
0.6.1
0.6.2
0.6.3
0.6.4
0.6.7
0.6.8
0.7.10
0.7.11
0.7.4
0.7.5
0.7.6
0.7.6b
0.7.7
0.7.8
0.7.9
0.8.1-fixed
0.9.1
0.9.2
0.9.3
0.9.5
0.9.6
0.9.7
1.*
1.0.0
1.1.0
1.1.1
1.1.2
1.1.20
1.1.23
1.1.3
1.1.30
1.1.31
1.1.32
1.1.33
1.1.4
1.1.42
1.1.46
1.1.47
1.1.48
1.1.5
1.1.50
1.1.6
1.1.7
1.1.8
1.2.1
1.2.10
1.2.11
1.2.4
1.2.5
1.2.6
1.2.9
v1.*
v1.2.29.6c95659
v1.2.30.80e4bc6
v1.2.38.cf4e508
v1.2.39.06892c4
v1.2.41.32f3682
v1.2.44.f2c9c55
v1.2.47
v1.2.48.371335e
v1.2.49.5354c49
v1.2.50.41dcfdd
v1.2.51.f9ff06b
v1.2.52.b63802c
v1.2.53.19c1f9f
v1.2.54.288f2be
v1.2.55.9db7c62
v1.2.testing1
v1.3.10.4df0e91
v1.3.10.cc2a84a
v1.3.11.0411401
v1.3.12.6306c53
v1.3.13.71a43a9
v1.3.15.432d067
v1.3.16.97899ae
v1.3.17.c9822de
v1.3.19.3c6a2f7
v1.3.20.9a5ff93
v1.3.21.cf00ac5
v1.3.22.c725a6b
v1.3.23.5462d84
v1.3.24.dff6915
v1.3.25.85f46d3
v1.3.26.0010231
v1.3.27.c88ba58
v1.3.28.41f9541
v1.3.29.7afc149
v1.3.3.2fe124e
v1.3.30.9fe2ddb
v1.3.31.0084643
v1.3.32.7e6c22f
v1.3.33.ab0095c
v1.3.34.401b5d9
v1.3.35.3251cd5
v1.3.36.64f852e
v1.3.36.7e03019
v1.3.36.dd720f2
v1.3.37.97712a9
v1.3.38.1253abd
v1.3.39.ddc3727
v1.3.4.2b20bf3
v1.3.40.e87ecc2
v1.3.41.80ddb81
v1.3.42.9bd9252
v1.3.43.aae9d2f
v1.3.44.4fa8d02
v1.3.46.d4ea956
v1.3.47.05147c0
v1.3.48.82bcd39
v1.3.5.e5b19fd
v1.3.6.f511bab
v1.3.7.bb22b6e
v1.3.8.90df7c2
v1.3.9.92185e7
v2.*
v2.0.0.18ab874
v2.0.1.ad05b91
v2.0.10.e09b12c
v2.0.11.8914d1a
v2.0.12.2400dd4
v2.0.13.7e27729
v2.0.14.2baaad8
v2.0.15.aafbde0
v2.0.16.2242b68
v2.0.17.5d1c06b
v2.0.18.1a7991c
v2.0.19.3209aea
v2.0.2.8146e84
v2.0.20.7100416
v2.0.21.83e6cea
v2.0.22.fbfd0f1
v2.0.23.7bb281d
v2.0.3.09fe616
v2.0.6.97fd5cf
v2.0.7.91ff7b9
v2.0.8.090e166
v2.0.9.6ea0963
v2.1.0.331a1af
v2.1.1.dc2ca9c
v2.1.10.7ef12c7
v2.1.11.5ec624d
v2.1.12.7711b03
v2.1.13.7475c86
v2.1.14.99a31c1
v2.1.15.cd78723
v2.1.16.a2c5b92
v2.1.17.7ca2e81
v2.1.18.de53280
v2.1.19.eb7025f
v2.1.2.6d20215
v2.1.20.470363d
v2.1.21.97d7a89
v2.1.22.191a69d
v2.1.23.04bbdc6
v2.1.3.8c68d88
v2.1.4.958d2cf
v2.1.5.23272da
v2.1.6.5679a82
v2.1.7.242f880
v2.1.9.d43ddc9
v2.2.0.9f6584b
v2.2.1.fb5f2e4
v2.2.10.7cebd79
v2.2.11.10265aa
v2.2.12.092e6f2
v2.2.13.f570204
v2.2.14.57542ce
v2.2.15.31c4693
v2.2.16.1c6acfd
v2.2.17.dbac2b1
v2.2.18.e9bde80
v2.2.19.8f6a283
v2.2.2.f35c7be
v2.2.20.af5ac32
v2.2.21.7f7c5cb
v2.2.22.404d0dd
v2.2.23.5672e68
v2.2.24.e6a2c06
v2.2.3.282cc0b
v2.2.4.3bcab0e
v2.2.5.8255128
v2.2.6.b53cb38
v2.2.7.e8970ad
v2.2.8.61f6fb2
v2.2.9.47301a5
v2.3.0.5f47ca1
v2.3.1.4fa7f5a
v2.3.10.d19607b
v2.3.11.2740a56
v2.3.12.24458a7
v2.3.13.83f5ba0
v2.3.14.64531fa
v2.3.15.deb7c27
v2.3.2.63df972
v2.3.3.8187fa7
v2.3.4.ea61808
v2.3.5.2f9b68e
v2.3.6.7a3570a
v2.3.7.30fbcab
v2.3.8.d490a33
v2.3.9.f06c56a
v2.4.0.46d7b82
v2.4.1.394e0e1
v2.4.2.5b45303
v2.4.3.efc27f2
v2.5.0.33eb073
v2.5.0.9ac0e26
v2.5.0.9e55e6b
v2.5.0.ab7de7f
v2.5.0.d6dac17
v2.5.0.e470619
v2.5.10.0fc5c9b
v2.5.11.8e2a3e5
v2.5.12.aa184e6
v2.5.13.1a06f88
v2.5.13.295278b
v2.5.14.f2ee0df
v2.5.15.79da236
v2.5.16.f81d3b0
v2.5.17.b4b2fd6
v2.5.18.89ebafc
v2.5.19.d5cd6f8
v2.5.19.f9876cf
v2.5.2.771cb52
v2.5.20.4c97351
v2.5.21.447533a
v2.5.22.d1fa27d
v2.5.23.bf958ed
v2.5.3.a70d5ee
v2.5.4.8d288d5
v2.5.5.e182ae7
v2.5.6.d55c08d
v2.5.7.f77c87d
v2.5.8.6485f03
v2.5.9.936260f
v2.6.0.f7afa9a
v2.6.1.7c3edde
v2.6.10.9ce4455
v2.6.11.60ec05e
v2.6.12.9861e82
v2.6.13.0561f2c
v2.6.2.31c0e8f
v2.6.3.640e731
v2.6.3.d28af68
v2.6.4.b89355f
v2.6.5.fc3d9f2
v2.6.6.54c1423
v2.6.7.2d6181f
v2.6.8.ef9d0d7
v2.6.9.f223b8a
v2.7.0.195b7cc
v2.7.0.705515a
v2.7.1.f35ca81
v2.7.12.45f15b8
v2.7.13.597fa0b
v2.7.2.f6d3782
v2.7.3.cf574c7
v2.7.4.c1f4f79
v2.7.5.ddd1499
Database specific
vanir_signatures_modified
"2026-04-12T17:41:42Z"
vanir_signatures
[
{
"source": "https://github.com/meshtastic/firmware/commit/d18f3f7a658817b35a3ab746d8522c1136890785",
"target": {
"file": "src/platform/nrf52/main-nrf52.cpp"
},
"id": "CVE-2025-53627-0a9e38db",
"signature_type": "Line",
"signature_version": "v1",
"deprecated": false,
"digest": {
"line_hashes": [
"244974135487406104536757880599777179385",
"16573642190003030343341205205732522021",
"291547561435929806146469486968999636026",
"276698711310302947336925963762221840480",
"164177178971494057806370228117100589444",
"155755477865891252494389155328333356972",
"128102664341683456659532839125274001446",
"309009486547279748857691693967836145098"
],
"threshold": 0.9
}
},
{
"source": "https://github.com/meshtastic/firmware/commit/d18f3f7a658817b35a3ab746d8522c1136890785",
"target": {
"file": "src/power.h"
},
"id": "CVE-2025-53627-49a701c0",
"signature_type": "Line",
"signature_version": "v1",
"deprecated": false,
"digest": {
"line_hashes": [
"269871890982149161983400334738294748426"
],
"threshold": 0.9
}
},
{
"source": "https://github.com/meshtastic/firmware/commit/d18f3f7a658817b35a3ab746d8522c1136890785",
"target": {
"function": "cpuDeepSleep",
"file": "src/platform/nrf52/main-nrf52.cpp"
},
"id": "CVE-2025-53627-593af2c6",
"signature_type": "Function",
"signature_version": "v1",
"deprecated": false,
"digest": {
"function_hash": "146632134818370094629248435117067292452",
"length": 2758.0
}
},
{
"source": "https://github.com/meshtastic/firmware/commit/d18f3f7a658817b35a3ab746d8522c1136890785",
"target": {
"file": "src/Power.cpp"
},
"id": "CVE-2025-53627-73baeca9",
"signature_type": "Line",
"signature_version": "v1",
"deprecated": false,
"digest": {
"line_hashes": [
"243209889756938622254915687208403039529",
"273072613753598073368170073077509909094",
"143714367153691372663768807826916293436",
"48724121699150261087639861260321370997",
"224640523009678531945193925946837891089",
"243547986097771994639829840578601694223",
"98058157585123478074565918936167944738",
"13989455726426397035290595705997051354",
"12401851290150183365560591500449426009",
"307996330851299716114763298088139345897",
"60317621257674432074329261751858826402",
"336894856662961851900543474286216033638",
"315650285289501565701784315611156368711",
"171364256127998893207073120283313043336",
"314500771492049544102569564715279066314",
"266214296526746930593717680440362594666",
"269377640514847708723293262549639628261",
"57272087558504524141378201748556942022",
"106123734553324296190605564040355783289",
"22085148226424470532183694915430028705",
"176440833359375473629028854979592315400",
"195076295500881840395952621322473241467",
"98690612998579422020702330808410056981",
"268379138884745825427273133382000062512",
"35247470865163757263310970646294327638",
"240118316636559675786566651817999258081"
],
"threshold": 0.9
}
},
{
"source": "https://github.com/meshtastic/firmware/commit/d18f3f7a658817b35a3ab746d8522c1136890785",
"target": {
"function": "Power::readPowerStatus",
"file": "src/Power.cpp"
},
"id": "CVE-2025-53627-87f469d7",
"signature_type": "Function",
"signature_version": "v1",
"deprecated": false,
"digest": {
"function_hash": "142276447114734159869605512449700239524",
"length": 3458.0
}
},
{
"source": "https://github.com/meshtastic/firmware/commit/d18f3f7a658817b35a3ab746d8522c1136890785",
"target": {
"function": "adcEnable",
"file": "src/Power.cpp"
},
"id": "CVE-2025-53627-c34f9a36",
"signature_type": "Function",
"signature_version": "v1",
"deprecated": false,
"digest": {
"function_hash": "51978269007857202018929737994997016914",
"length": 493.0
}
}
]
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-53627.json"