{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-52883", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-06-20T17:42:25.708Z", "datePublished": "2025-06-24T20:12:59.904Z", "dateUpdated": "2025-06-24T20:47:53.097Z"}, "containers": {"cna": {"title": "Meshtastic-Android vulnerable to forged DMs with no PKC showing up as encrypted", "problemTypes": [{"descriptions": [{"cweId": "CWE-1287", "lang": "en", "description": "CWE-1287: Improper Validation of Specified Type of Input", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/meshtastic/Meshtastic-Android/security/advisories/GHSA-h4rg-g6f3-ghh7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/meshtastic/Meshtastic-Android/security/advisories/GHSA-h4rg-g6f3-ghh7"}, {"name": "https://github.com/meshtastic/Meshtastic-Android/pull/1720", "tags": ["x_refsource_MISC"], "url": "https://github.com/meshtastic/Meshtastic-Android/pull/1720"}], "affected": [{"vendor": "meshtastic", "product": "Meshtastic-Android", "versions": [{"version": "< 2.5.21", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-06-24T20:12:59.904Z"}, "descriptions": [{"lang": "en", "value": "Meshtastic-Android is an Android application for the mesh radio software Meshtastic. Prior to version 2.5.21, an attacker is able to send an unencrypted direct message to a victim impersonating any other node of the mesh. This message will be displayed in the same chat that the victim normally communicates with the other node and it will appear as using PKC, while it is not. This means that the victim will be provided with a false sense of security due to the green padlock displayed when using PKC and they'll read the attacker's message as legitimate. Version 2.5.21 contains a patch for the issue. It is suggested to implement a stricter control on whether a message has been received using PKC or using the shared Meshtastic channel key. Moreover, instead of showing no green padlock icon in the chat with no PKC, consider using an explicit indicator like, for example, the yellow half-open padlock displayed when in HAM mode. This remediation, however, applies to the client applications rather than the Meshtastic firmware."}], "source": {"advisory": "GHSA-h4rg-g6f3-ghh7", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-24T20:47:43.174923Z", "id": "CVE-2025-52883", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-24T20:47:53.097Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-52883", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-06-24T20:47:43.174923Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-24T20:47:49.219Z"}}], "cna": {"title": "Meshtastic-Android vulnerable to forged DMs with no PKC showing up as encrypted", "source": {"advisory": "GHSA-h4rg-g6f3-ghh7", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "meshtastic", "product": "Meshtastic-Android", "versions": [{"status": "affected", "version": "< 2.5.21"}]}], "references": [{"url": "https://github.com/meshtastic/Meshtastic-Android/security/advisories/GHSA-h4rg-g6f3-ghh7", "name": "https://github.com/meshtastic/Meshtastic-Android/security/advisories/GHSA-h4rg-g6f3-ghh7", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/meshtastic/Meshtastic-Android/pull/1720", "name": "https://github.com/meshtastic/Meshtastic-Android/pull/1720", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Meshtastic-Android is an Android application for the mesh radio software Meshtastic. Prior to version 2.5.21, an attacker is able to send an unencrypted direct message to a victim impersonating any other node of the mesh. This message will be displayed in the same chat that the victim normally communicates with the other node and it will appear as using PKC, while it is not. This means that the victim will be provided with a false sense of security due to the green padlock displayed when using PKC and they'll read the attacker's message as legitimate. Version 2.5.21 contains a patch for the issue. It is suggested to implement a stricter control on whether a message has been received using PKC or using the shared Meshtastic channel key. Moreover, instead of showing no green padlock icon in the chat with no PKC, consider using an explicit indicator like, for example, the yellow half-open padlock displayed when in HAM mode. This remediation, however, applies to the client applications rather than the Meshtastic firmware."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1287", "description": "CWE-1287: Improper Validation of Specified Type of Input"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-06-24T20:12:59.904Z"}}}, "cveMetadata": {"cveId": "CVE-2025-52883", "state": "PUBLISHED", "dateUpdated": "2025-06-24T20:47:53.097Z", "dateReserved": "2025-06-20T17:42:25.708Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-06-24T20:12:59.904Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Meshtastic-Android is an Android application for the mesh radio software Meshtastic. Prior to version 2.5.21, an attacker is able to send an unencrypted direct message to a victim impersonating any other node of the mesh. This message will be displayed in the same chat that the victim normally communicates with the other node and it will appear as using PKC, while it is not. This means that the victim will be provided with a false sense of security due to the green padlock displayed when using PKC and they'll read the attacker's message as legitimate. Version 2.5.21 contains a patch for the issue. It is suggested to implement a stricter control on whether a message has been received using PKC or using the shared Meshtastic channel key. Moreover, instead of showing no green padlock icon in the chat with no PKC, consider using an explicit indicator like, for example, the yellow half-open padlock displayed when in HAM mode. This remediation, however, applies to the client applications rather than the Meshtastic firmware."}, {"lang": "es", "value": "Meshtastic-Android es una aplicaci\u00f3n Android para el software de radio en malla Meshtastic. Antes de la versi\u00f3n 2.5.21, un atacante pod\u00eda enviar un mensaje directo sin cifrar a una v\u00edctima haci\u00e9ndose pasar por cualquier otro nodo de la malla. Este mensaje se mostraba en el mismo chat en el que la v\u00edctima se comunicaba normalmente con el otro nodo y aparentaba usar PKC, aunque no lo era. Esto significa que la v\u00edctima se sentir\u00eda insegura debido al candado verde que se muestra al usar PKC y que interpretar\u00eda el mensaje del atacante como leg\u00edtimo. La versi\u00f3n 2.5.21 incluye una soluci\u00f3n para este problema. Se recomienda implementar un control m\u00e1s estricto sobre si un mensaje se recibi\u00f3 usando PKC o la clave de canal compartida de Meshtastic. Adem\u00e1s, en lugar de no mostrar el icono del candado verde en el chat sin PKC, considere usar un indicador expl\u00edcito como, por ejemplo, el candado amarillo entreabierto que se muestra en modo HAM. Sin embargo, esta soluci\u00f3n se aplica a las aplicaciones cliente, no al firmware de Meshtastic. "}], "id": "CVE-2025-52883", "lastModified": "2025-06-26T18:58:14.280", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-06-24T21:15:26.030", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/meshtastic/Meshtastic-Android/pull/1720"}, {"source": "security-advisories@github.com", "url": "https://github.com/meshtastic/Meshtastic-Android/security/advisories/GHSA-h4rg-g6f3-ghh7"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1287"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}