CVE-2025-52883
BaseFortify
Publication date: 2025-06-24
Last updated on: 2025-06-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1287 | The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-52883 is a vulnerability in Meshtastic-Android versions prior to 2.5.21 where an attacker can send unencrypted forged direct messages impersonating any node in the mesh network. These forged messages appear in the victim's chat as if they were encrypted using Public Key Cryptography (PKC), indicated by a green padlock icon, misleading the victim into believing the communication is secure when it is not. This happens because the application accepts messages sent using the shared Meshtastic channel key but displays them as if they were PKC-encrypted, causing a false sense of security and allowing attackers to inject messages without detection. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to impersonate other nodes in the mesh network and send forged messages that appear to be securely encrypted. As a result, you may be misled into trusting and acting on false or malicious information, since the forged messages display a green padlock icon indicating PKC encryption when in fact they are not encrypted. This compromises message integrity and can lead to misinformation or manipulation within your communications. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves monitoring for forged direct messages that appear to be encrypted with Public Key Cryptography (PKC) but are actually sent unencrypted using the shared Meshtastic channel key. The Meshtastic-Android client prior to version 2.5.21 does not properly distinguish these messages, causing a false green padlock icon to appear. To detect this, one should look for messages received in PKC chats that are not actually PKC-encrypted. The updated client includes a 'mismatchKey' flag and UI warnings to indicate public key mismatches. While no specific network commands are provided, detection relies on using the patched client version (2.5.21 or later) which implements stricter verification and explicit UI indicators for such mismatches. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading the Meshtastic-Android application to version 2.5.21 or later, which contains the patch addressing this vulnerability. The patch implements stricter verification of whether messages are received via PKC or the shared channel key and introduces explicit UI indicators (such as warnings and a 'mismatchKey' flag) to alert users of public key mismatches. Additionally, consider applying client-side changes to avoid displaying a misleading green padlock icon for messages not encrypted with PKC. These mitigations focus on the client application rather than the firmware. [1, 2]