CVE-2024-10525
published 2024-10-30CVE-2024-10525: In Eclipse Mosquitto, from version 1.3.2 through 2.0.18, if a malicious broker sends a crafted SUBACK packet with no reason codes, a client using libmosquitto…
PriorityP271critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
57.90%
99.0th percentile
In Eclipse Mosquitto, from version 1.3.2 through 2.0.18, if a malicious broker sends a crafted SUBACK packet with no reason codes, a client using libmosquitto may make out of bounds memory access when acting in its on_subscribe callback. This affects the mosquitto_sub and mosquitto_rr clients.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | mosquitto | < mosquitto 2.0.11-1.2+deb12u2 (bookworm) | mosquitto 2.0.11-1.2+deb12u2 (bookworm) |
| eclipse | mosquitto | >= 0 < 2.0.11-1+deb11u2 | 2.0.11-1+deb11u2 |
| eclipse | mosquitto | >= 0 < 2.0.11-1.2+deb12u2 | 2.0.11-1.2+deb12u2 |
| eclipse | mosquitto | >= 0 < 2.0.20-1 | 2.0.20-1 |
| eclipse | mosquitto | >= 0 < 2.0.20-1 | 2.0.20-1 |
| eclipse | mosquitto | >= 0 < 2.0.11-1ubuntu1.2 | 2.0.11-1ubuntu1.2 |
| eclipse | mosquitto | >= 0 < 0.15-2+deb7u3ubuntu0.1+esm1 | 0.15-2+deb7u3ubuntu0.1+esm1 |
| eclipse | mosquitto | >= 0 < 1.4.8-1ubuntu0.16.04.7+esm2 | 1.4.8-1ubuntu0.16.04.7+esm2 |
| eclipse | mosquitto | >= 0 < 1.4.15-2ubuntu0.18.04.3+esm2 | 1.4.15-2ubuntu0.18.04.3+esm2 |
| eclipse | mosquitto | >= 0 < 1.6.9-1ubuntu0.1~esm2 | 1.6.9-1ubuntu0.1~esm2 |
| eclipse | mosquitto | >= 0 < 2.0.18-1ubuntu0.1~esm1 | 2.0.18-1ubuntu0.1~esm1 |
| eclipse | mosquitto | >= 1.3.2 < 2.0.19 | 2.0.19 |
| eclipse_foundation | mosquitto | 1.3.2 – 2.0.18 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Trigger condition: a malicious/rogue MQTT broker sends a crafted SUBACK packet containing NO reason codes, causing the libmosquitto client to perform out-of-bounds memory access in its on_subscribe callback. ↗
- →Affected clients to monitor/patch: mosquitto_sub and mosquitto_rr — these are the specific binaries that invoke the vulnerable on_subscribe callback path. ↗
- →Vulnerable version range is Eclipse Mosquitto 1.3.2 through 2.0.18 (inclusive). Any deployment of libmosquitto or its CLI clients within this range is exploitable by a malicious broker. ↗
- →The vulnerability is classified as a heap buffer overflow (CVE title: 'heap buffer overflow in my_subscribe_callback'). Crash signatures or heap-corruption telemetry from mosquitto_sub/mosquitto_rr processes should be treated as potential exploitation indicators. ↗
- →Impact can escalate beyond DoS: a specially crafted SUBACK with no reason codes may lead to arbitrary code execution in the client process, not just a crash. ↗
- ·The attack requires a malicious (rogue) broker — exploitation is only possible if the libmosquitto client connects to an attacker-controlled MQTT broker. Clients connecting exclusively to trusted, internal brokers have significantly reduced exposure. ↗
- ·Red Hat Satellite 6 (mosquitto package) is marked 'Will not fix', meaning patched packages will not be delivered for that product. Operators relying on Satellite 6 must apply mitigations manually. ↗
- ·Fixed versions by distribution: Debian bookworm ≥ 2.0.11-1.2+deb12u2, bullseye ≥ 2.0.11-1+deb11u2, forky/sid/trixie ≥ 2.0.20-1. Upstream fix is in Mosquitto 2.0.19+. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.2HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv7.2HIGH
vendor_ubuntu9.8CRITICAL
vendor_debian7.2HIGH
vendor_redhat7.2HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Eclipse Mosquitto vulnerabilities
vendor_ubuntu·2025-04-16·CVSS 9.8
CVE-2024-10525 [CRITICAL] Eclipse Mosquitto vulnerabilities
Title: Eclipse Mosquitto vulnerabilities
Summary: Several security issues were fixed in Eclipse Mosquitto.
It was discovered that Eclipse Mosquitto client incorrectly handled
memory when receiving a SUBACK packet. An attacker with a malicious
broker could possibly use this issue to execute arbitrary code or
cause a denial of service. (CVE-2024-10525)
Xiangpu Song discovered that Eclipse Mosquitto broker did not properly
manage memory under certain circumstances. A malicious client with a
remote connection could possibly use this issue to cause the broker to
crash resulting in a denial of service, or another unspecified impact.
This issue only affected Ubuntu 22.04 LTS and Ubuntu 24.04 LTS.
(CVE-2024-3935)
Instructions: In general, a standard system update will make all the necessary ch
Red Hat
mosquitto: heap buffer overflow in my_subscribe_callback
vendor_redhat·2024-10-30·CVSS 7.2
CVE-2024-10525 [HIGH] CWE-122 mosquitto: heap buffer overflow in my_subscribe_callback
mosquitto: heap buffer overflow in my_subscribe_callback
In Eclipse Mosquitto, from version 1.3.2 through 2.0.18, if a malicious broker sends a crafted SUBACK packet with no reason codes, a client using libmosquitto may make out of bounds memory access when acting in its on_subscribe callback. This affects the mosquitto_sub and mosquitto_rr clients.
A flaw was found in Eclipse Mosquitto. If a malicious broker sends a specially crafted packet, it may trigger a buffer overflow condition in a client using libmosquitto. This issue can lead to an application crash or, in some circumstances, arbitrary code execution.
Package: mosquitto (Red Hat Satellite 6) - Will not fix
Debian
CVE-2024-10525: mosquitto - In Eclipse Mosquitto, from version 1.3.2 through 2.0.18, if a malicious broker s...
vendor_debian·2024·CVSS 7.2
CVE-2024-10525 [HIGH] CVE-2024-10525: mosquitto - In Eclipse Mosquitto, from version 1.3.2 through 2.0.18, if a malicious broker s...
In Eclipse Mosquitto, from version 1.3.2 through 2.0.18, if a malicious broker sends a crafted SUBACK packet with no reason codes, a client using libmosquitto may make out of bounds memory access when acting in its on_subscribe callback. This affects the mosquitto_sub and mosquitto_rr clients.
Scope: local
bookworm: resolved (fixed in 2.0.11-1.2+deb12u2)
bullseye: resolved (fixed in 2.0.11-1+deb11u2)
forky: resolved (fixed in 2.0.20-1)
sid: resolved (fixed in 2.0.20-1)
trixie: resolved (fixed in 2.0.20-1)
OSV
mosquitto vulnerabilities
osv·2025-04-16·CVSS 7.2
CVE-2024-10525 [HIGH] mosquitto vulnerabilities
mosquitto vulnerabilities
It was discovered that Eclipse Mosquitto client incorrectly handled
memory when receiving a SUBACK packet. An attacker with a malicious
broker could possibly use this issue to execute arbitrary code or
cause a denial of service. (CVE-2024-10525)
Xiangpu Song discovered that Eclipse Mosquitto broker did not properly
manage memory under certain circumstances. A malicious client with a
remote connection could possibly use this issue to cause the broker to
crash resulting in a denial of service, or another unspecified impact.
This issue only affected Ubuntu 22.04 LTS and Ubuntu 24.04 LTS.
(CVE-2024-3935)
OSV
CVE-2024-10525: In Eclipse Mosquitto, from version 1
osv·2024-10-30·CVSS 7.2
CVE-2024-10525 [HIGH] CVE-2024-10525: In Eclipse Mosquitto, from version 1
In Eclipse Mosquitto, from version 1.3.2 through 2.0.18, if a malicious broker sends a crafted SUBACK packet with no reason codes, a client using libmosquitto may make out of bounds memory access when acting in its on_subscribe callback. This affects the mosquitto_sub and mosquitto_rr clients.
GHSA
GHSA-cm54-mprw-5279: In Eclipse Mosquitto, from version 1
ghsa_unreviewed·2024-10-30
CVE-2024-10525 [HIGH] CWE-122 GHSA-cm54-mprw-5279: In Eclipse Mosquitto, from version 1
In Eclipse Mosquitto, from version 1.3.2 through 2.0.18, if a malicious broker sends a crafted SUBACK packet with no reason codes, a client using libmosquitto may make out of bounds memory access when acting in its on_subscribe callback. This affects the mosquitto_sub and mosquitto_rr clients.
No detection rules found.
No public exploits indexed.
2024-10-30
Published