{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-45038", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-08-21T17:53:51.330Z", "datePublished": "2024-08-27T20:36:34.548Z", "dateUpdated": "2024-08-28T14:00:41.737Z"}, "containers": {"cna": {"title": "Device crash via malformed MQTT packet when downlink is enabled in Meshtastic device firmware", "problemTypes": [{"descriptions": [{"cweId": "CWE-755", "lang": "en", "description": "CWE-755: Improper Handling of Exceptional Conditions", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/meshtastic/firmware/security/advisories/GHSA-3x3r-vw9f-pxq5", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/meshtastic/firmware/security/advisories/GHSA-3x3r-vw9f-pxq5"}], "affected": [{"vendor": "meshtastic", "product": "firmware", "versions": [{"version": "< 2.4.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-08-27T20:36:34.548Z"}, "descriptions": [{"lang": "en", "value": "Meshtastic device firmware is a firmware for meshtastic devices to run an open source, off-grid, decentralized, mesh network built to run on affordable, low-power devices. Meshtastic device firmware is subject to a denial of serivce vulnerability in MQTT handling, fixed in version 2.4.1 of the Meshtastic firmware and on the Meshtastic public MQTT Broker. It's strongly suggested that all users of Meshtastic, particularly those that connect to a privately hosted MQTT server, update to this or a more recent stable version right away. There are no known workarounds for this vulnerability."}], "source": {"advisory": "GHSA-3x3r-vw9f-pxq5", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "meshtastic", "product": "firmware", "cpes": ["cpe:2.3:a:meshtastic:firmware:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "2.4.1", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-28T13:58:29.055471Z", "id": "CVE-2024-45038", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-28T14:00:41.737Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-45038", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-08-28T13:58:29.055471Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:meshtastic:firmware:*:*:*:*:*:*:*:*"], "vendor": "meshtastic", "product": "firmware", "versions": [{"status": "affected", "version": "0", "lessThan": "2.4.1", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-28T14:00:35.301Z"}}], "cna": {"title": "Device crash via malformed MQTT packet when downlink is enabled in Meshtastic device firmware", "source": {"advisory": "GHSA-3x3r-vw9f-pxq5", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "meshtastic", "product": "firmware", "versions": [{"status": "affected", "version": "< 2.4.1"}]}], "references": [{"url": "https://github.com/meshtastic/firmware/security/advisories/GHSA-3x3r-vw9f-pxq5", "name": "https://github.com/meshtastic/firmware/security/advisories/GHSA-3x3r-vw9f-pxq5", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Meshtastic device firmware is a firmware for meshtastic devices to run an open source, off-grid, decentralized, mesh network built to run on affordable, low-power devices. Meshtastic device firmware is subject to a denial of serivce vulnerability in MQTT handling, fixed in version 2.4.1 of the Meshtastic firmware and on the Meshtastic public MQTT Broker. It's strongly suggested that all users of Meshtastic, particularly those that connect to a privately hosted MQTT server, update to this or a more recent stable version right away. There are no known workarounds for this vulnerability."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-755", "description": "CWE-755: Improper Handling of Exceptional Conditions"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-08-27T20:36:34.548Z"}}}, "cveMetadata": {"cveId": "CVE-2024-45038", "state": "PUBLISHED", "dateUpdated": "2024-08-28T14:00:41.737Z", "dateReserved": "2024-08-21T17:53:51.330Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-08-27T20:36:34.548Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:meshtastic:meshtastic_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "1EF8629E-08D8-41A8-AD07-B9710BEE3171", "versionEndExcluding": "2.4.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Meshtastic device firmware is a firmware for meshtastic devices to run an open source, off-grid, decentralized, mesh network built to run on affordable, low-power devices. Meshtastic device firmware is subject to a denial of serivce vulnerability in MQTT handling, fixed in version 2.4.1 of the Meshtastic firmware and on the Meshtastic public MQTT Broker. It's strongly suggested that all users of Meshtastic, particularly those that connect to a privately hosted MQTT server, update to this or a more recent stable version right away. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "El firmware del dispositivo Meshtastic es un firmware para que los dispositivos meshtastic ejecuten una red de malla de c\u00f3digo abierto, fuera de la red, descentralizada y dise\u00f1ada para funcionar en dispositivos asequibles y de bajo consumo. El firmware del dispositivo Meshtastic est\u00e1 sujeto a una vulnerabilidad de denegaci\u00f3n de servicio en el manejo de MQTT, corregida en la versi\u00f3n 2.4.1 del firmware Meshtastic y en el Broker MQTT p\u00fablico Meshtastic. Se recomienda encarecidamente que todos los usuarios de Meshtastic, especialmente aquellos que se conectan a un servidor MQTT alojado de forma privada, actualicen a esta o a una versi\u00f3n estable m\u00e1s reciente de inmediato. No se conocen workarounds para esta vulnerabilidad."}], "id": "CVE-2024-45038", "lastModified": "2025-10-21T14:06:33.750", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-08-27T21:15:07.380", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/meshtastic/firmware/security/advisories/GHSA-3x3r-vw9f-pxq5"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-755"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{}