CVE-2025-55292 Overview
CVE-2025-55292 is a node identity spoofing vulnerability in Meshtastic, an open source mesh networking solution. The vulnerability stems from a fundamental architectural weakness where nodes are identified by their NodeID (generated from the MAC address) rather than their public key. This design flaw enables attackers to abuse HAM mode—which operates without encryption—to forge NodeInfo packets on behalf of victim nodes.
By advertising that HAM mode is enabled for a target node, an attacker can manipulate the mesh network's NodeDB, causing other nodes to overwrite legitimate node information. This forces other nodes to send direct messages using the shared channel key instead of Public Key Cryptography (PKC), effectively downgrading the security of communications. The attacker can also modify node details such as full name and short code, and maintain persistence by periodically resending forged NodeInfo packets.
Critical Impact
Attackers can spoof node identity and force communication downgrades from PKC to shared channel encryption, enabling potential eavesdropping and node impersonation across the mesh network.
Affected Products
- Meshtastic Firmware versions prior to 2.7.6.834c3c5
- All Meshtastic mesh network deployments using vulnerable firmware
- Devices communicating with compromised nodes in the mesh
Discovery Timeline
- 2026-01-28 - CVE CVE-2025-55292 published to NVD
- 2026-03-02 - Last updated in NVD database
Technical Details for CVE-2025-55292
Vulnerability Analysis
The vulnerability exploits a trust model weakness in Meshtastic's node identification architecture. Rather than binding node identity to cryptographic public keys, the system relies on NodeID values derived from MAC addresses, which can be easily spoofed. When combined with HAM mode's lack of encryption and authentication, this creates an attack surface where malicious actors can inject forged NodeInfo packets into the mesh network.
The attack enables adversaries to manipulate the NodeDB—the distributed database that mesh nodes use to track other participants. Once the NodeDB is poisoned with forged information indicating a victim node has HAM mode enabled, legitimate nodes will abandon PKC for that destination and fall back to shared channel key encryption, which provides weaker security guarantees.
Root Cause
The root cause is the Use of Less Trusted Source (CWE-348) in the node identification mechanism. Meshtastic's architecture trusts NodeID values without cryptographic verification against public keys, allowing attackers to claim any identity. The NodeDB update logic did not validate that incoming NodeInfo packets matched the existing public key associated with a NodeID, enabling information overwrite attacks.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker within range of the mesh network can:
- Observe legitimate NodeInfo broadcasts to identify target victim nodes
- Craft forged NodeInfo packets claiming the victim has HAM mode enabled
- Broadcast the forged packets, causing other nodes to update their NodeDB
- Maintain persistence by resending forged NodeInfo immediately after the victim sends legitimate updates
- Optionally modify other node attributes like long_name and short_name
The following patch demonstrates the security fix implemented in src/mesh/NodeDB.cpp:
printBytes("Incoming Pubkey: ", p.public_key.bytes, 32);
// Alert the user if a remote node is advertising public key that matches our own
- if (owner.public_key.size == 32 && memcmp(p.public_key.bytes, owner.public_key.bytes, 32) == 0 && !duplicateWarned) {
- duplicateWarned = true;
- char warning[] = "Remote device %s has advertised your public key. This may indicate a compromised key. You may need "
- "to regenerate your public keys.";
- LOG_WARN(warning, p.long_name);
- meshtastic_ClientNotification *cn = clientNotificationPool.allocZeroed();
- cn->level = meshtastic_LogRecord_Level_WARNING;
- cn->time = getValidTime(RTCQualityFromNet);
- sprintf(cn->message, warning, p.long_name);
- service->sendClientNotification(cn);
+ if (owner.public_key.size == 32 && memcmp(p.public_key.bytes, owner.public_key.bytes, 32) == 0) {
+ if (!duplicateWarned) {
+ duplicateWarned = true;
+ char warning[] =
+ "Remote device %s has advertised your public key. This may indicate a compromised key. You may need "
+ "to regenerate your public keys.";
+ LOG_WARN(warning, p.long_name);
+ meshtastic_ClientNotification *cn = clientNotificationPool.allocZeroed();
+ cn->level = meshtastic_LogRecord_Level_WARNING;
+ cn->time = getValidTime(RTCQualityFromNet);
+ sprintf(cn->message, warning, p.long_name);
+ service->sendClientNotification(cn);
+ }
+ return false;
}
}
- if (info->user.public_key.size > 0) { // if we have a key for this user already, don't overwrite with a new one
Source: GitHub Commit e5e8683
The patch adds a critical return false; statement that prevents NodeDB updates when a public key mismatch is detected, blocking the spoofing attack vector.
Detection Methods for CVE-2025-55292
Indicators of Compromise
- Unexpected changes to node names, short codes, or other NodeDB attributes without user action
- Multiple nodes reporting the same public key or conflicting node information
- Legitimate nodes suddenly appearing as HAM mode enabled when they should be using PKC
- Client notifications warning about duplicate public key advertisements
- Rapid succession of NodeInfo packets for the same NodeID with conflicting attributes
Detection Strategies
- Monitor for NodeInfo packets that advertise HAM mode for nodes previously configured with PKC encryption
- Implement logging for all NodeDB update operations and flag public key mismatches
- Deploy network monitoring to detect unusual patterns of NodeInfo broadcasts, particularly repeated transmissions following legitimate node updates
- Alert on client notifications regarding duplicate public key advertisements
Monitoring Recommendations
- Enable verbose logging on Meshtastic nodes to capture all NodeInfo processing events
- Periodically audit NodeDB contents across mesh nodes for consistency
- Monitor for anomalous communication patterns where PKC-enabled nodes suddenly receive shared channel encrypted messages
- Track firmware versions across the mesh to identify unpatched nodes
How to Mitigate CVE-2025-55292
Immediate Actions Required
- Update all Meshtastic firmware to version 2.7.6.834c3c5 or later immediately
- Audit current NodeDB entries for any unexpected modifications to node attributes
- If compromise is suspected, regenerate public keys for affected nodes
- Review mesh network logs for any warning messages about duplicate public key advertisements
Patch Information
Meshtastic has released a security patch in firmware version 2.7.6.834c3c5 that addresses this vulnerability. The fix ensures that NodeDB updates are rejected when there is a public key mismatch, preventing attackers from overwriting legitimate node information. The patch is available via the official firmware commit. For detailed technical information, refer to the GitHub Security Advisory GHSA-45vg-3f35-7ch2.
Workarounds
- Avoid using HAM mode in environments where node spoofing is a concern, as HAM mode by design lacks confidentiality and authentication
- Implement physical security measures to limit attacker proximity to the mesh network
- Monitor for unexpected NodeInfo changes and manually verify node configurations if anomalies are detected
- Consider network segmentation to limit the blast radius of potential spoofing attacks
# Verify firmware version on Meshtastic device
meshtastic --info | grep "Firmware"
# Update firmware to patched version
meshtastic --firmware-update 2.7.6.834c3c5
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
