CVE-2025-24798

Meshtastic is an open source mesh networking solution. From 1.2.1 until 2.6.2, a packet sent to the routing module that contains want_response==true causes a crash. This can lead to a degradation of service for nodes within range of a malicious sender, or via MQTT if downlink is enabled. This vulnerability is fixed in 2.6.2.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/meshtastic/firmware/blob/cdcbf4c61550e45c125e17a20aff4275e9389655/src/modules/RoutingModule.cpp#L44-L48
https://github.com/meshtastic/firmware/commit/dc100e4d3e3dfbf58d3ead8141a49cddb0cbdc19
https://github.com/meshtastic/firmware/security/advisories/GHSA-4q84-546j-3mf5

Configurations

No configuration.

History

15 Jul 2025, 13:14

Type	Values Removed	Values Added
Summary		(es) Meshtastic es una solución de red en malla de código abierto. Desde la versión 1.2.1 hasta la 2.6.2, un paquete enviado al módulo de enrutamiento con want_response==true provoca un fallo. Esto puede provocar una degradación del servicio para los nodos dentro del alcance de un remitente malicioso, o a través de MQTT si el enlace descendente está habilitado. Esta vulnerabilidad se corrigió en la versión 2.6.2.

10 Jul 2025, 22:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-07-10 22:15

Updated : 2025-07-15 13:14

NVD link : CVE-2025-24798

Mitre link : CVE-2025-24798

CVE.ORG link : CVE-2025-24798

JSON object : View

Products Affected

No product.

CWE

CWE-617

Reachable Assertion

4.3 /10