Meshtastic is an open source mesh networking solution. The mainmatrix.yml GitHub Action is triggered by the pullrequest_target event, which has extensive permissions, and can be initiated by an attacker who forked the repository and created a pull request. In the shell code execution part, user-controlled input is interpolated unsafely into the code. If this were to be exploited, attackers could inject unauthorized code into the repository. This vulnerability is fixed in 2.6.6.
{
"cwe_ids": [
"CWE-78"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/53xxx/CVE-2025-53637.json",
"cna_assigner": "GitHub_M"
}