CVE-2025-52883

Name of the Vulnerable Software and Affected Versions: Meshtastic-Android versions prior to 2.5.21

Description: The issue allows an attacker to send an unencrypted direct message to a victim, impersonating any other node of the mesh. This message will be displayed in the same chat that the victim normally communicates with the other node, appearing as if it is using PKC (Public Key Cryptography), when in fact it is not. As a result, the victim may be provided with a false sense of security due to the green padlock displayed when using PKC, and they will read the attacker's message as legitimate.

Recommendations: For versions prior to 2.5.21, update to version 2.5.21 to resolve the issue. As a temporary workaround, consider implementing stricter control on whether a message has been received using PKC or using the shared Meshtastic channel key. Consider using an explicit indicator, such as the yellow half-open padlock displayed when in HAM mode, instead of showing no green padlock icon in the chat with no PKC.