{"id":"CVE-2025-21608","summary":"Forged packets over MQTT can show up in direct messages in Meshtastic firmware","details":"Meshtastic is an open source mesh networking solution. In affected firmware versions crafted packets over MQTT are able to appear as a DM in client to a node even though they were not decoded with PKC. This issue has been addressed in version 2.5.19 and all users are advised to upgrade. There are no known workarounds for this vulnerability.","aliases":["GHSA-c967-qc39-3hf5"],"modified":"2026-07-15T01:49:09.460699791Z","published":"2025-02-18T18:17:28.752Z","database_specific":{"cwe_ids":["CWE-668"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/21xxx/CVE-2025-21608.json","cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/21xxx/CVE-2025-21608.json"},{"type":"ADVISORY","url":"https://github.com/meshtastic/firmware/security/advisories/GHSA-c967-qc39-3hf5"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-21608"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/meshtastic/firmware","events":[{"introduced":"0"},{"last_affected":"89ebafc8b8d85ee12002b9c574f8472d99e9ec50"}],"database_specific":{"extracted_events":[{"introduced":"2.5.0"},{"last_affected":"2.5.18"}],"source":"AFFECTED_FIELD"}}],"versions":["v2.5.18.89ebafc","v2.5.17.b4b2fd6","v2.5.16.f81d3b0","v2.5.15.79da236","v2.5.14.f2ee0df","v2.5.13.1a06f88","v2.5.13.295278b","v2.5.12.aa184e6","v2.5.11.8e2a3e5","v2.5.10.0fc5c9b","v2.5.9.936260f","v2.5.8.6485f03","v2.5.7.f77c87d","v2.5.6.d55c08d","v2.5.5.e182ae7","v2.5.4.8d288d5","v2.5.3.a70d5ee","v2.5.2.771cb52","v2.5.0.9ac0e26","v2.5.0.e470619","v2.5.0.9e55e6b","v2.5.0.33eb073","v2.5.0.d6dac17","v2.5.0.ab7de7f","v2.4.3.efc27f2","v2.4.2.5b45303","v2.4.1.394e0e1","v2.4.0.46d7b82","v2.3.15.deb7c27","v2.3.14.64531fa","v2.3.13.83f5ba0","v2.3.12.24458a7","v2.3.11.2740a56","v2.3.10.d19607b","v2.3.9.f06c56a","v2.3.8.d490a33","v2.3.7.30fbcab","v2.3.6.7a3570a","v2.3.5.2f9b68e","v2.3.4.ea61808","v2.3.3.8187fa7","v2.3.2.63df972","v2.3.1.4fa7f5a","v2.3.0.5f47ca1","v2.2.24.e6a2c06","v2.2.23.5672e68","v2.2.22.404d0dd","v2.2.21.7f7c5cb","v2.2.20.af5ac32","v2.2.19.8f6a283","v2.2.18.e9bde80","v2.2.17.dbac2b1","v2.2.16.1c6acfd","v2.2.15.31c4693","v2.2.14.57542ce","v2.2.13.f570204","v2.2.12.092e6f2","v2.2.11.10265aa","v2.2.10.7cebd79","v2.2.9.47301a5","v2.2.8.61f6fb2","v2.2.7.e8970ad","v2.2.6.b53cb38","v2.2.5.8255128","v2.2.4.3bcab0e","v2.2.3.282cc0b","v2.2.2.f35c7be","v2.2.1.fb5f2e4","v2.2.0.9f6584b","v2.1.23.04bbdc6","v2.1.22.191a69d","v2.1.21.97d7a89","v2.1.20.470363d","v2.1.19.eb7025f","v2.1.18.de53280","v2.1.17.7ca2e81","v2.1.16.a2c5b92","v2.1.15.cd78723","v2.1.14.99a31c1","v2.1.13.7475c86","v2.1.12.7711b03","v2.1.11.5ec624d","v2.1.10.7ef12c7","v2.1.9.d43ddc9","v2.1.7.242f880","v2.1.6.5679a82","v2.1.5.23272da","v2.1.4.958d2cf","v2.1.3.8c68d88","v2.1.2.6d20215","v2.1.1.dc2ca9c","v2.1.0.331a1af","v2.0.23.7bb281d","v2.0.22.fbfd0f1","v2.0.21.83e6cea","v2.0.20.7100416","v2.0.19.3209aea","v2.0.18.1a7991c","v2.0.17.5d1c06b","v2.0.16.2242b68","v2.0.15.aafbde0","v2.0.14.2baaad8","v2.0.13.7e27729","v2.0.12.2400dd4","v2.0.11.8914d1a","v2.0.10.e09b12c","v2.0.9.6ea0963","v2.0.8.090e166","v2.0.7.91ff7b9","v2.0.6.97fd5cf","v2.0.3.09fe616","v2.0.2.8146e84","v2.0.1.ad05b91","v2.0.0.18ab874","v1.3.48.82bcd39","v1.3.47.05147c0","v1.3.46.d4ea956","v1.3.44.4fa8d02","v1.3.43.aae9d2f","v1.3.42.9bd9252","v1.3.41.80ddb81","v1.3.40.e87ecc2","v1.3.39.ddc3727","v1.3.38.1253abd","v1.3.37.97712a9","v1.3.36.64f852e","v1.3.36.dd720f2","v1.3.36.7e03019","v1.3.35.3251cd5","v1.3.34.401b5d9","v1.3.33.ab0095c","v1.3.32.7e6c22f","v1.3.31.0084643","v1.3.30.9fe2ddb","v1.3.29.7afc149","v1.3.28.41f9541","v1.3.27.c88ba58","v1.3.26.0010231","v1.3.25.85f46d3","v1.3.24.dff6915","v1.3.23.5462d84","v1.3.22.c725a6b","v1.3.21.cf00ac5","v1.3.20.9a5ff93","v1.3.19.3c6a2f7","v1.3.17.c9822de","v1.3.16.97899ae","v1.3.15.432d067","v1.3.13.71a43a9","v1.3.12.6306c53","v1.3.11.0411401","v1.3.10.4df0e91","v1.3.10.cc2a84a","v1.3.9.92185e7","v1.3.8.90df7c2","v1.3.7.bb22b6e","v1.3.6.f511bab","v1.3.5.e5b19fd","v1.3.4.2b20bf3","v1.3.3.2fe124e","v1.2.55.9db7c62","v1.2.54.288f2be","v1.2.53.19c1f9f","v1.2.52.b63802c","v1.2.51.f9ff06b","v1.2.50.41dcfdd","v1.2.49.5354c49","v1.2.48.371335e","v1.2.47","v1.2.44.f2c9c55","v1.2.41.32f3682","v1.2.39.06892c4","v1.2.38.cf4e508","v1.2.30.80e4bc6","v1.2.29.6c95659","v1.2.testing1","1.2.11","1.2.10","1.1.33","1.2.9","1.2.6","1.2.5","1.2.4","1.2.1","1.1.50","1.1.48","1.1.47","1.1.46","1.1.42","1.1.32","1.1.31","1.1.30","1.1.7","1.1.23","1.1.20","1.1.8","1.1.6","1.1.5","1.1.4","1.1.3","1.1.2","1.1.1","1.1.0","1.0.0","0.9.7","0.9.6","0.9.5","0.9.3","0.9.2","0.9.1","0.8.1-fixed","0.7.11","0.7.10","0.7.9","0.7.8","0.7.7","0.7.6b","0.7.6","0.7.5","0.7.4","0.6.8","0.6.7","0.6.4","0.6.3","0.6.2","0.6.1","0.6.0","0.4.3","0.4.2","0.4.1","0.2.3","0.2.0","0.1.10","0.1.9","0.1.8","0.1.7","0.1.6","0.0.3"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-21608.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"}]}