CVE-2025-10543 — Numeric Truncation Error in Eclipse Paho.mqtt.golang

CWE-197 — Numeric Truncation Error CWE-681 — Incorrect Conversion between Numeric Types6 documents5 sources

Severity

6.3MEDIUMNVD

EPSS

0.0%

top 84.93%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Eclipse Paho.mqtt.golang Eclipse Foundation Paho.mqtt.golang Eclipse Paho Mqtt +9 more

Timeline

PublishedDec 2

Latest updateDec 15

Description

In Eclipse Paho Go MQTT v3.1 library (paho.mqtt.golang) versions <=1.5.0 UTF-8 encoded strings, passed into the library, may be incorrectly encoded if their length exceeds 65535 bytes. This may lead to unexpected content in packets sent to the server (for example, part of an MQTT topic may leak into the message body in a PUBLISH packet). The issue arises because the length of the data passed in was converted from an int64/int32 (depending upon CPU) to an int16 without checks for overflows. The…

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Packages12 packages

▶Gogithub.com/eclipse_paho.mqtt.golang< 1.5.1

▶CVEListV5eclipse_foundation/paho.mqtt.golang1.5.0

▶NVDeclipse/paho_mqtt1.5.0

▶msrcmsrc/azl3_influxdb_2.7.5-8_on_azure_linux_3.0

▶msrcmsrc/azl3_influxdb_2.7.5-10_on_azure_linux_3.0

🔴Vulnerability Details

OSV

Eclipse Paho Go MQTT may incorrectly encode strings if length exceeds 65535 bytes in github.com/eclipse/paho.mqtt.golang↗2025-12-15

▶

GHSA

Eclipse Paho Go MQTT may incorrectly encode strings if length exceeds 65535 bytes↗2025-12-02

▶

OSV

Eclipse Paho Go MQTT may incorrectly encode strings if length exceeds 65535 bytes↗2025-12-02

▶

📋Vendor Advisories

Microsoft

CVE-2025-10543: Mariner: Mariner eclipse: eclipse Customer Action Required: Yes Remediation: CBL-Mariner Releases Reference: https://learn↗2025-12-09

▶

Red Hat

paho.mqtt.golang: paho.mqtt.golang: Integer Overflow in UTF-8 String Encoding↗2025-12-02

▶