{"id":"CVE-2025-53637","summary":"Meshtastic allows Command Injection in GitHub Action","details":"Meshtastic is an open source mesh networking solution. The main_matrix.yml GitHub Action is triggered by the pull_request_target event, which has extensive permissions, and can be initiated by an attacker who forked the repository and created a pull request. In the shell code execution part, user-controlled input is interpolated unsafely into the code. If this were to be exploited, attackers could inject unauthorized code into the repository. This vulnerability is fixed in 2.6.6.","aliases":["GHSA-6mwm-v2vv-pp96"],"modified":"2026-07-15T01:49:08.120602920Z","published":"2025-07-10T21:31:44.006Z","database_specific":{"cwe_ids":["CWE-78"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/53xxx/CVE-2025-53637.json","cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://github.com/meshtastic/firmware/blob/3fd47d9713e7d1b6866c48cf218e2435741651a2/.github/workflows/main_matrix.yml#L34-L41"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/53xxx/CVE-2025-53637.json"},{"type":"ADVISORY","url":"https://github.com/meshtastic/firmware/security/advisories/GHSA-6mwm-v2vv-pp96"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-53637"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/meshtastic/firmware","events":[{"introduced":"a70d5ee9d879b8530bc486f7f65b4965e2e25e52"},{"fixed":"54c1423039bbb2b6fdecc807843eef8de47a6b41"}],"database_specific":{"extracted_events":[{"introduced":"2.5.3"},{"fixed":"2.6.6"}],"source":"AFFECTED_FIELD"}}],"versions":["v2.6.5.fc3d9f2","v2.6.4.b89355f","v2.6.3.640e731","v2.6.3.d28af68","v2.6.2.31c0e8f","v2.6.1.7c3edde","v2.6.0.f7afa9a","v2.5.23.bf958ed","v2.5.22.d1fa27d","v2.5.21.447533a","v2.5.20.4c97351","v2.5.19.f9876cf","v2.5.19.d5cd6f8","v2.5.18.89ebafc","v2.5.17.b4b2fd6","v2.5.16.f81d3b0","v2.5.15.79da236","v2.5.14.f2ee0df","v2.5.13.1a06f88","v2.5.13.295278b","v2.5.12.aa184e6","v2.5.11.8e2a3e5","v2.5.10.0fc5c9b","v2.5.9.936260f","v2.5.8.6485f03","v2.5.7.f77c87d","v2.5.6.d55c08d","v2.5.5.e182ae7","v2.5.4.8d288d5","v2.5.3.a70d5ee"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-53637.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N"}]}