CVE-2025-53637
BaseFortify
Publication date: 2025-07-10
Last updated on: 2025-08-22
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| meshtastic | meshtastic_firmware | to 2.6.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Meshtastic's main_matrix.yml GitHub Action, which is triggered by the pull_request_target event. This event has extensive permissions and can be triggered by an attacker who forks the repository and creates a pull request. The vulnerability arises because user-controlled input is unsafely interpolated into shell code, allowing an attacker to inject unauthorized code into the repository.
How can this vulnerability impact me? :
If exploited, this vulnerability could allow an attacker to execute unauthorized code within the repository, potentially compromising the integrity of the codebase and leading to further security issues such as code tampering or supply chain attacks.
What immediate steps should I take to mitigate this vulnerability?
Update Meshtastic to version 2.6.6 or later, as this version contains the fix for the vulnerability involving unsafe code interpolation in the main_matrix.yml GitHub Action.