CVE-2025-53637

Source
https://cve.org/CVERecord?id=CVE-2025-53637
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-53637.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-53637
Aliases
  • GHSA-6mwm-v2vv-pp96
Published
2025-07-10T21:31:44.006Z
Modified
2026-07-15T01:49:08.120602920Z
Severity
  • 4.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N CVSS Calculator
Summary
Meshtastic allows Command Injection in GitHub Action
Details

Meshtastic is an open source mesh networking solution. The mainmatrix.yml GitHub Action is triggered by the pullrequest_target event, which has extensive permissions, and can be initiated by an attacker who forked the repository and created a pull request. In the shell code execution part, user-controlled input is interpolated unsafely into the code. If this were to be exploited, attackers could inject unauthorized code into the repository. This vulnerability is fixed in 2.6.6.

Database specific
{
    "cwe_ids": [
        "CWE-78"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/53xxx/CVE-2025-53637.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/meshtastic/firmware

Affected ranges

Type
GIT
Repo
https://github.com/meshtastic/firmware
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "2.5.3"
        },
        {
            "fixed": "2.6.6"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

v2.*
v2.5.10.0fc5c9b
v2.5.11.8e2a3e5
v2.5.12.aa184e6
v2.5.13.1a06f88
v2.5.13.295278b
v2.5.14.f2ee0df
v2.5.15.79da236
v2.5.16.f81d3b0
v2.5.17.b4b2fd6
v2.5.18.89ebafc
v2.5.19.d5cd6f8
v2.5.19.f9876cf
v2.5.20.4c97351
v2.5.21.447533a
v2.5.22.d1fa27d
v2.5.23.bf958ed
v2.5.3.a70d5ee
v2.5.4.8d288d5
v2.5.5.e182ae7
v2.5.6.d55c08d
v2.5.7.f77c87d
v2.5.8.6485f03
v2.5.9.936260f
v2.6.0.f7afa9a
v2.6.1.7c3edde
v2.6.2.31c0e8f
v2.6.3.640e731
v2.6.3.d28af68
v2.6.4.b89355f
v2.6.5.fc3d9f2

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-53637.json"