{ "affected": [ { "ranges": [ { "database_specific": { "versions": [ { "introduced": "1.2.1" }, { "fixed": "2.6.2" } ] }, "events": [ { "introduced": "531600f5ab026852cf72ce71f04ad9088309b81f" }, { "fixed": "31c0e8fa2ca0cce903e73749454324c672c18b4c" } ], "repo": "https://github.com/meshtastic/firmware", "type": "GIT" } ] } ], "aliases": [ "GHSA-4q84-546j-3mf5" ], "database_specific": { "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-617" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/24xxx/CVE-2025-24798.json" }, "details": "Meshtastic is an open source mesh networking solution. From 1.2.1 until 2.6.2, a packet sent to the routing module that contains want_response==true causes a crash. This can lead to a degradation of service for nodes within range of a malicious sender, or via MQTT if downlink is enabled. This vulnerability is fixed in 2.6.2.", "id": "CVE-2025-24798", "modified": "2026-04-01T23:10:24.700657658Z", "published": "2025-07-10T21:22:30.299Z", "references": [ { "type": "WEB", "url": "https://github.com/meshtastic/firmware/blob/cdcbf4c61550e45c125e17a20aff4275e9389655/src/modules/RoutingModule.cpp#L44-L48" }, { "type": "ADVISORY", "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/24xxx/CVE-2025-24798.json" }, { "type": "ADVISORY", "url": "https://github.com/meshtastic/firmware/security/advisories/GHSA-4q84-546j-3mf5" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24798" }, { "type": "FIX", "url": "https://github.com/meshtastic/firmware/commit/dc100e4d3e3dfbf58d3ead8141a49cddb0cbdc19" } ], "schema_version": "1.7.3", "severity": [ { "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "type": "CVSS_V3" } ], "summary": "Meshtastic crashes via an unimplemented routing module reply" }