This release includes 1 security fix for security teams reviewing exposed deployments.
Topics
Affected surfaces
ReleasePort's take
Moderate signalMeshCore now includes automations such as auto-announce and timer triggers; a reconnect loop bug is fixed; security hardening mitigates ReDoS, regex DoS, and log injection.
Why it matters: Security fact (idβ―35005) with severityβ―80 hardens MeshCore against CodeQLβdetected polynomial ReDoS, regex denialβofβservice, and log injection via validation and sanitization. All users leveraging MeshCore neighbor endpoints or logging should upgrade to mitigate these highβseverity risks.
Summary
AI summaryBroad release touches MeshCore Automations, Bug Fixes, π MeshMonitor v4.8.1, and Issues Resolved.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Security | High |
Hardens against CodeQLβdetected polynomial ReDoS, regex DoS, and log injection via input validation and sanitization. Hardens against CodeQLβdetected polynomial ReDoS, regex DoS, and log injection via input validation and sanitization. Source: llm_adapter@2026-05-28 Confidence: high |
β |
| Feature | Low |
Adds MeshCore automations: auto-announce, auto-responder, timer triggers, and auto-acknowledge. Adds MeshCore automations: auto-announce, auto-responder, timer triggers, and auto-acknowledge. Source: llm_adapter@2026-05-28 Confidence: high |
β |
| Bugfix | Medium |
Fixes deterministic 3Γ/min reconnect loop on TCP Meshtastic sources by guarding handleConnected against transport-swap race. Fixes deterministic 3Γ/min reconnect loop on TCP Meshtastic sources by guarding handleConnected against transport-swap race. Source: llm_adapter@2026-05-28 Confidence: low |
β |
| Bugfix | Low |
Adds input validation for MeshCore neighbor publicKey parameters to address a CodeQL userβcontrolled bypass issue. Adds input validation for MeshCore neighbor publicKey parameters to address a CodeQL userβcontrolled bypass issue. Source: llm_adapter@2026-05-28 Confidence: low |
β |
Full changelog
MeshMonitor v4.8.1
Patch release combining a MeshCore automation suite (auto-announce, auto-responder, timer triggers, and auto-acknowledge), a connection-stability fix that eliminates the deterministic 3Γ/min reconnect loop on TCP Meshtastic sources, and a round of CodeQL-driven security hardening (polynomial-ReDoS, log-injection, regex-DoS) plus MeshCore neighbor publicKey input validation. Also includes a translations refresh from Hosted Weblate.
Features
MeshCore Automations
- #3249
feat(meshcore)Auto-announce, auto-responder, and timer triggers β three new per-source automations in the MeshCore Automation view:- Auto-Announce β periodically broadcast a templated status message to selected channels on an interval or cron schedule, with an optional advert burst, live preview, and Send Now.
- Auto-Responder β reply to incoming messages matching an operator-defined regex with a text response or a script, with per-channel/DM filtering and per-sender cooldown.
- Timer Triggers β schedule recurring text/advert/script actions, each on its own cron or interval.
- Shared token expansion (
{VERSION},{DURATION},{CONTACTCOUNT},{COMPANIONCOUNT},{REPEATERCOUNT},{ROOMCOUNT},{NODE_NAME},{NODE_ID}) across all three, surfaced in the UI via an inline token legend.
- #3245
feat(meshcore)Auto-acknowledge automation with channels, DM, and macros β operator-configurable auto-ACK rules per source with per-channel/DM scope and templated macro responses.
Bug Fixes
- #3248
fix(stability)GuardhandleConnectedagainst transport-swap race (closes #3247) β on TCP Meshtastic sources,handleConnectedcould observethis.transportget nulled during its own async setup chain (notifyNodeConnected, channel snapshot), causingsendWantConfigIdto throwTransport not initialized. The catch block then treated that as a transient post-connect reset and tore down the (still-healthy) session, reproducing the same race on the next reconnect β producing a deterministic 3Γ/min reconnect loop on otherwise-fine TCP sockets. The handler now captures the transport reference at entry, and the catch block distinguishes "transport went away mid-handshake" (silent bail) from a genuine transport-layer send failure (existing teardown path preserved). - #3240
fixAdd input validation for MeshCore neighbor publicKey parameters β validate-and-extract pubkey for neighbor endpoints to address CodeQLjs/user-controlled-bypass.
Security
- #3246
fix(security)Close CodeQL polynomial-ReDoS + harden regex compile and logger sanitization β hardens several user-input code paths against denial-of-service via crafted regular expressions and log-injection patterns surfaced by CodeQL static analysis.
Other
- #3208
chore(i18n)Translations update from Hosted Weblate.
Issues Resolved
- #3247
[BUG]Per-minute reconnect loop: 'Transport not initialized' race tears down healthy TCP sessions β closed by #3248.
Upgrade Notes
No breaking changes. Standard upgrade: pull the new image / Helm chart / desktop bundle.
Full Changelog: https://github.com/Yeraze/meshmonitor/compare/v4.8.0...v4.8.1
π MeshMonitor v4.8.1
π¦ Installation
Docker (recommended):
docker run -d \
--name meshmonitor \
-p 8080:3001 \
-v meshmonitor-data:/data \
ghcr.io/Yeraze/meshmonitor:4.8.1
π§ͺ Testing
β
All tests passed
β
TypeScript checks passed
β
Docker images built for linux/amd64, linux/arm64, linux/arm/v7
π Changes
See commit history for detailed changes.
Security Fixes
- CodeQL-driven hardening against polynomial-ReDoS, regex DoS, and log-injection vulnerabilities
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About Yeraze/meshmonitor
All releases βRelated context
Related tools
Earlier breaking changes
- v4.7.2 Route `destination` field now rejects nonβ8βhex nodeId or 64βhex publicKey, returning HTTPβ―400.
Beta — feedback welcome: [email protected]