cbcvebase.
CVE-2024-10525
published 2024-10-30

CVE-2024-10525: In Eclipse Mosquitto, from version 1.3.2 through 2.0.18, if a malicious broker sends a crafted SUBACK packet with no reason codes, a client using libmosquitto…

PriorityP271critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
57.90%
99.0th percentile
In Eclipse Mosquitto, from version 1.3.2 through 2.0.18, if a malicious broker sends a crafted SUBACK packet with no reason codes, a client using libmosquitto may make out of bounds memory access when acting in its on_subscribe callback. This affects the mosquitto_sub and mosquitto_rr clients.

Affected

13 ranges
VendorProductVersion rangeFixed in
debianmosquitto< mosquitto 2.0.11-1.2+deb12u2 (bookworm)mosquitto 2.0.11-1.2+deb12u2 (bookworm)
eclipsemosquitto>= 0 < 2.0.11-1+deb11u22.0.11-1+deb11u2
eclipsemosquitto>= 0 < 2.0.11-1.2+deb12u22.0.11-1.2+deb12u2
eclipsemosquitto>= 0 < 2.0.20-12.0.20-1
eclipsemosquitto>= 0 < 2.0.20-12.0.20-1
eclipsemosquitto>= 0 < 2.0.11-1ubuntu1.22.0.11-1ubuntu1.2
eclipsemosquitto>= 0 < 0.15-2+deb7u3ubuntu0.1+esm10.15-2+deb7u3ubuntu0.1+esm1
eclipsemosquitto>= 0 < 1.4.8-1ubuntu0.16.04.7+esm21.4.8-1ubuntu0.16.04.7+esm2
eclipsemosquitto>= 0 < 1.4.15-2ubuntu0.18.04.3+esm21.4.15-2ubuntu0.18.04.3+esm2
eclipsemosquitto>= 0 < 1.6.9-1ubuntu0.1~esm21.6.9-1ubuntu0.1~esm2
eclipsemosquitto>= 0 < 2.0.18-1ubuntu0.1~esm12.0.18-1ubuntu0.1~esm1
eclipsemosquitto>= 1.3.2 < 2.0.192.0.19
eclipse_foundationmosquitto1.3.2 – 2.0.18

Detection & IOCsextracted from sources · hover to see the quote

  • Trigger condition: a malicious/rogue MQTT broker sends a crafted SUBACK packet containing NO reason codes, causing the libmosquitto client to perform out-of-bounds memory access in its on_subscribe callback.
  • Affected clients to monitor/patch: mosquitto_sub and mosquitto_rr — these are the specific binaries that invoke the vulnerable on_subscribe callback path.
  • Vulnerable version range is Eclipse Mosquitto 1.3.2 through 2.0.18 (inclusive). Any deployment of libmosquitto or its CLI clients within this range is exploitable by a malicious broker.
  • The vulnerability is classified as a heap buffer overflow (CVE title: 'heap buffer overflow in my_subscribe_callback'). Crash signatures or heap-corruption telemetry from mosquitto_sub/mosquitto_rr processes should be treated as potential exploitation indicators.
  • Impact can escalate beyond DoS: a specially crafted SUBACK with no reason codes may lead to arbitrary code execution in the client process, not just a crash.
  • ·The attack requires a malicious (rogue) broker — exploitation is only possible if the libmosquitto client connects to an attacker-controlled MQTT broker. Clients connecting exclusively to trusted, internal brokers have significantly reduced exposure.
  • ·Red Hat Satellite 6 (mosquitto package) is marked 'Will not fix', meaning patched packages will not be delivered for that product. Operators relying on Satellite 6 must apply mitigations manually.
  • ·Fixed versions by distribution: Debian bookworm ≥ 2.0.11-1.2+deb12u2, bullseye ≥ 2.0.11-1+deb11u2, forky/sid/trixie ≥ 2.0.20-1. Upstream fix is in Mosquitto 2.0.19+.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.2HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv7.2HIGH
vendor_ubuntu9.8CRITICAL
vendor_debian7.2HIGH
vendor_redhat7.2HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.