What is the CVSS score of CVE-2025-53637?

CVE-2025-53637 has a CVSS 3.1 base score of 4.1 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N. EPSS exploitation probability: 0.0%.

Which versions of Meshtastic Firmware are affected by CVE-2025-53637?

Organizations using Meshtastic should be aware of moderate risk from CVE-2025-53637, a OS command injection vulnerability rated CVSS 4.1.. A patch is available.

How to fix or mitigate CVE-2025-53637?

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Validate input sanitization for user-controlled parameters.

Meshtastic Firmware CVE-2025-53637

EUVD-2025-21075 MEDIUM

OS Command Injection (CWE-78)

2025-07-10 security-advisories@github.com

RCE Command Injection Meshtastic Firmware

4.1

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

4.1 MEDIUM

AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

None

Availability

None

Lifecycle Timeline

Patch available

Apr 16, 2026 - 05:29 EUVD

2.6.6

EUVD ID Assigned

Mar 16, 2026 - 06:52 euvd

EUVD-2025-21075

Analysis Generated

Mar 16, 2026 - 06:52 vuln.today

CVE Published

Jul 10, 2025 - 22:15 nvd

MEDIUM 4.1

DescriptionGitHub Advisory

Meshtastic is an open source mesh networking solution. The main_matrix.yml GitHub Action is triggered by the pull_request_target event, which has extensive permissions, and can be initiated by an attacker who forked the repository and created a pull request. In the shell code execution part, user-controlled input is interpolated unsafely into the code. If this were to be exploited, attackers could inject unauthorized code into the repository. This vulnerability is fixed in 2.6.6.

Analysis

Technical ContextAI

Command injection allows an attacker to execute arbitrary OS commands on the host system through a vulnerable application that passes user input to system shells. This vulnerability is classified as OS Command Injection (CWE-78).

RemediationAI

Avoid passing user input to system commands. Use language-specific APIs instead of shell commands. If unavoidable, use strict input validation and escaping.

CVE-2025-53637 vulnerability details – vuln.today

Back