Skip to content

Yeraze/meshmonitor

v3.7.2 Security

This release includes 2 security fixes for security teams reviewing exposed deployments.

Published 3mo Monitoring & Metrics
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 2 known CVEs

Topics

meshcore meshtastic mqtt

Affected surfaces

auth rbac

Summary

AI summary

Enforce channel‑based permission checks on telemetry and position endpoints to prevent unauthorized data access.

Full changelog

What's Changed

Security

  • Enforce channel-based permission checks on telemetry and position endpoints — Anonymous and limited users can no longer fetch telemetry or position data for nodes on channels they don't have viewOnMap permission for. Closes AUTHZ-VULN-02 from the Shannon pentest. (#2038)
  • Regenerate session after authentication to prevent session fixation (#2034)

Features

  • Exchange Position with selectable channel — Users can now choose which channel to send position exchange requests on. (#2026, closes #2021)
  • Light/dark overlay color schemes for map elements — Map overlays now respect the current theme. (#2028, closes #2020)
  • Add Watch and Reboot + Home Assistant Bridge to user scripts gallery — Two new community scripts from @maxhayim. (#2039, closes #2035, #2036)

Bug Fixes

  • AutoAnnounce channel selection ignores disabled channels (#2025, closes #2024)
  • Duplicate outgoing messages in chat (#2029, closes #2027)
  • Deploy upgrade watchdog to legacy path for backward compat (#2030, closes #1888)
  • Reduce node load to prevent firmware heap exhaustion (#2031, closes #2013)
  • Poll interval now respects WebSocket connection state internally (#2032)
  • Position precision accuracy was 2x off from Meshtastic documentation — The accuracy estimate displayed for precision bits (both in the info panel and on the map rectangle) was double the correct value. Now matches Meshtastic docs exactly. (#2040, closes #2037)
  • Fix CSRF token invalidation in system tests — After the session fixation fix, system tests needed to re-fetch the CSRF token post-login. (#2042)

Translations

  • Russian translation updates via Weblate (#2033, #2041)

Full Changelog: https://github.com/Yeraze/meshmonitor/compare/v3.7.1...v3.7.2

🚀 MeshMonitor v3.7.2

📦 Installation

Docker (recommended):

docker run -d \
  --name meshmonitor \
  -p 8080:3001 \
  -v meshmonitor-data:/data \
  ghcr.io/Yeraze/meshmonitor:3.7.2

🧪 Testing

✅ All tests passed
✅ TypeScript checks passed
✅ Docker images built for linux/amd64, linux/arm64, linux/arm/v7

📋 Changes

See commit history for detailed changes.

Security Fixes

  • AUTHZ-VULN-02 – Enforce channel‑based permission checks on telemetry and position endpoints; anonymous/limited users can no longer fetch data for channels they lack viewOnMap permission.
  • Prevent session fixation by regenerating sessions after authentication
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Yeraze/meshmonitor

Get notified when new releases ship.

Sign up free

About Yeraze/meshmonitor

All releases →

Related context

Earlier breaking changes

  • v4.7.2 Route `destination` field now rejects non‑8‑hex nodeId or 64‑hex publicKey, returning HTTP 400.

Beta — feedback welcome: [email protected]