MeshCore's Problem with Security
10 hours ago
- #Disclosure Process
- #Security Vulnerability
- #MeshCore
- Author reported a security vulnerability in MeshCore related to unchecked length leading to heap-based buffer overflow, fixed in v1.14.0.
- Disclosure process was problematic: no security contact, silent fix without advisories, leaving users uninformed about vulnerabilities.
- Code quality issues include raw C arrays, manual bounds checks, implicit integer casts, lack of automated tests, and weak cryptographic practices (AES-128 with 2-byte MAC).
- MeshCore aims for an open ecosystem but has a closed-source official app, though an open-source alternative (MeshCore Open) exists.
- Recommendations: implement GitHub security advisories, improve serialization/deserialization, use safer data types, enable compiler warnings, and set up fuzzing.
- Comparison to Meshtastic shows better vulnerability handling with CVEs and transparent disclosure processes.
- Due to poor security practices and lack of communication, MeshCore is not recommended for private or sensitive communication.