Untriaged
Permalink
CVE-2024-10525
9.1 CRITICAL
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): NONE
- User interaction (UI): NONE
- Scope (S): UNCHANGED
- Confidentiality impact (C): HIGH
- Integrity impact (I): NONE
- Availability impact (A): HIGH
Eclipse Mosquito: Heap Buffer Overflow in my_subscribe_callback
In Eclipse Mosquitto, from version 1.3.2 through 2.0.18, if a malicious broker sends a crafted SUBACK packet with no reason codes, a client using libmosquitto may make out of bounds memory access when acting in its on_subscribe callback. This affects the mosquitto_sub and mosquitto_rr clients.
References
- https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/190
- https://mosquitto.org/blog/2024/10/version-2-0-19-released/
- https://mosquitto.org/blog/2024/10/version-2-0-19-released/
- https://github.com/eclipse-mosquitto/mosquitto/commit/8ab20b4ba4204fdcdec78cb4d…
- https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/190
- https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/190
- https://mosquitto.org/blog/2024/10/version-2-0-19-released/
- https://github.com/eclipse-mosquitto/mosquitto/commit/8ab20b4ba4204fdcdec78cb4d…
- https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/190
- https://mosquitto.org/blog/2024/10/version-2-0-19-released/
- https://github.com/eclipse-mosquitto/mosquitto/commit/8ab20b4ba4204fdcdec78cb4d…
- https://lists.debian.org/debian-lts-announce/2025/02/msg00022.html
Affected products
mosquitto
- =<2.0.18
Matching in nixpkgs
pkgs.haskellPackages.mosquitto-hs
Mosquitto client library bindings
-
nixos-unstable -
- nixpkgs-unstable 0.1.0.0
pkgs.chickenPackages_5.chickenEggs.mosquitto
Bindings to mosquitto MQTT client library
-
nixos-unstable -
- nixpkgs-unstable 0.1.5
Package maintainers
-
@sikmir Nikolay Korotkiy <sikmir@disroot.org>
-
@peterhoeg Peter Hoeg <peter@hoeg.com>