github Yeraze/meshmonitor v4.2.1
on GitHub

5 hours ago

MeshMonitor v4.2.1 — Security release

All 4.x deployments should upgrade. This release fixes three high-severity authorization issues reachable by unauthenticated visitors under the standard public-viewer configuration, plus one medium-severity authenticated-user privilege escalation. See SECURITY_ADVISORY.md for full per-finding details.

Summary

v4.2.1 is a focused security and stability release. It closes the MM-SEC-1/2/3/4 advisory series reported by an external researcher: anonymous disclosure of the auto-generated VAPID private key via GET /api/settings (MM-SEC-1), anonymous disclosure of every channel's PSK via GET /api/channels and /api/poll (MM-SEC-2), anonymous disclosure of hidden-channel message content via /api/poll (MM-SEC-3), and authenticated-user privilege escalation across the channel-mutation endpoints (MM-SEC-4). Two adjacent fixes also land: a long-standing decode bug where empty channel names were silently dropped during channel-URL import (#2900), and admin-packet pacing during config import to work around a firmware-side timing race that started causing system-test flakiness on Meshtastic firmware v2.7.22 (#2903). A new regression test locks in the system-backup tarball's exclusion of push_subscriptions, sessions, and backup_history (#2908). All v4.x deployments should upgrade — operators who ran a public-viewer dashboard with channel_0:read granted to anonymous should rotate exposed PSKs after upgrading, since PSK disclosure cannot be undone retroactively.

Security

  • MM-SEC-1 (High): Strip secret keys (vapid_private_key, securityDigestAppriseUrl, analyticsConfig, plus a *_private_key / *_secret / *_token tail-pattern denylist) from GET /api/settings for non-admin callers (#2904)
  • MM-SEC-2 (High): Stop returning channel.psk from /api/channels, /api/channels/all, and /api/poll. Hoist transformChannel to a shared module + per-row read permission check + new derived pskSet: boolean so callers can answer "is a PSK configured?" without seeing the key (#2905)
  • MM-SEC-3 (High): Filter messages by per-channel read in /api/poll, /api/messages, and /api/messages/unread-counts so a caller with channel_0:read can no longer see hidden-channel message content (#2906)
  • MM-SEC-4 (Medium): Per-channel write gate on PUT/DELETE /api/channels/:id, /api/channels/:id/export, /api/channels/:slotId/import, and /api/channels/reorder so a user with channel_0:write can no longer mutate any channel (#2907)
  • Coverage lock-in: BACKUP_TABLES regression test asserts push_subscriptions, sessions, backup_history are never re-added to the system-backup tarball + operator-facing SECURITY_ADVISORY.md (#2908)

Bug Fixes

  • Channel URL decode: Preserve empty channel names instead of silently dropping them — fixes round-trip imports of channel-set URLs whose primary channel is unnamed (#2900)
  • Config import pacing: Bump admin-packet inter-message delays from 500/300/500 ms to 2000/1000/1500 ms across /channels/import-config, /channels/reorder, and the local + remote /admin/import-config paths. Works around a firmware-side timing race in Meshtastic v2.7.22 where the first SetChannel admin packet after a tight BeginEditSettings was being silently dropped, causing intermittent CI failures (#2903)

Upgrade notes

After upgrading, rotate any channel PSKs that were exposed while a public-viewer dashboard with channel_0:read was reachable. The PSK disclosure under MM-SEC-2 is the highest-impact finding because anyone who saved the keys before the patch can still decrypt mesh traffic captured at the time. The leak is irreversible — only key rotation closes it.

If you never set VAPID_PUBLIC_KEY / VAPID_PRIVATE_KEY / VAPID_SUBJECT via environment variables, also rotate the auto-generated VAPID key: delete the three vapid_* rows from the settings table and restart. Existing browser push subscriptions are invalidated — clients re-subscribe transparently on next visit.

The MM-SEC-4 fix tightens the per-channel write check from a static channel_0:write gate to a per-row check using the URL's actual :id. Users who previously relied on having only channel_0:write to manage every channel will now need explicit per-channel grants. Audit accounts and grant per-channel permissions as needed.

Full Changelog

v4.2.0...v4.2.1

🚀 MeshMonitor v4.2.1

📦 Installation

Docker (recommended): 

docker run -d \
  --name meshmonitor \
  -p 8080:3001 \
  -v meshmonitor-data:/data \
  ghcr.io/Yeraze/meshmonitor:4.2.1

🧪 Testing

✅ All tests passed
✅ TypeScript checks passed
✅ Docker images built for linux/amd64, linux/arm64, linux/arm/v7

📋 Changes

See commit history for detailed changes.

Check out latest releases or
releases around Yeraze/meshmonitor v4.2.1

Don't miss a new meshmonitor release

NewReleases is sending notifications on new releases.

Get notifications