Mosquitto Security Vulnerabilities and Issues — Mosquitto CVE List

Lucene search

EclipseMosquitto

12 matches found

CVE•added 2023/10/02 8:15 p.m.•110 views

CVE-2023-3592

In Mosquitto before 2.0.16, a memory leak occurs when clients send v5 CONNECT packets with a will message that contains invalid property types.

7.5CVSS6.4AI score0.00038EPSS

CVE•added 2021/07/27 4:15 p.m.•97 views

CVE-2021-34432

In Eclipse Mosquitto versions 2.07 and earlier, the server will crash if the client tries to send a PUBLISH packet with topic length = 0.

7.5CVSS7.3AI score0.00344EPSS

CVE•added 2018/04/24 2:29 p.m.•96 views

CVE-2017-7651

In Eclipse Mosquitto 1.4.14, a user can shutdown the Mosquitto server simply by filling the RAM memory with a lot of connections with large payload. This can be done without authentications if occur in connection phase of MQTT protocol.

7.5CVSS7.2AI score0.21218EPSS

CVE•added 2023/09/01 4:15 p.m.•88 views

CVE-2023-28366

The broker in Eclipse Mosquitto 1.3.2 through 2.x before 2.0.16 has a memory leak that can be abused remotely when a client sends many QoS 2 messages with duplicate message IDs, and fails to respond to PUBREC commands. This occurs because of mishandling of EAGAIN from the libc send function.

7.5CVSS7.1AI score0.00128EPSS

CVE•added 2024/10/11 4:15 p.m.•88 views

CVE-2024-8376

In Eclipse Mosquitto up to version 2.0.18a, an attacker can achieve memory leaking, segmentation fault or heap-use-after-free by sending specific sequences of "CONNECT", "DISCONNECT", "SUBSCRIBE", "UNSUBSCRIBE" and "PUBLISH" packets.

7.5CVSS7.5AI score0.00437EPSS

CVE•added 2018/04/25 1:29 p.m.•83 views

CVE-2017-7652

In Eclipse Mosquitto 1.4.14, if a Mosquitto instance is set running with a configuration file, then sending a HUP signal to server triggers the configuration to be reloaded from disk. If there are lots of clients connected so that there are no more file descriptors/sockets available (default limit ...

7.5CVSS7.2AI score0.00941EPSS

CVE•added 2018/06/05 8:29 p.m.•80 views

CVE-2017-7654

In Eclipse Mosquitto 1.4.15 and earlier, a Memory Leak vulnerability was found within the Mosquitto Broker. Unauthenticated clients can send crafted CONNECT packets which could cause a denial of service in the Mosquitto Broker.

7.5CVSS7.1AI score0.01288EPSS

CVE•added 2021/12/01 8:15 p.m.•73 views

CVE-2021-41039

In versions 1.6 to 2.0.11 of Eclipse Mosquitto, an MQTT v5 client connecting with a large number of user-property properties could cause excessive CPU usage, leading to a loss of performance and possible denial of service.

7.5CVSS7.2AI score0.00225EPSS

CVE•added 2019/03/27 8:29 p.m.•68 views

CVE-2017-7655

In Eclipse Mosquitto version from 1.0 to 1.4.15, a Null Dereference vulnerability was found in the Mosquitto library which could lead to crashes for those applications using the library.

7.5CVSS7.3AI score0.00834EPSS

CVE•added 2018/11/15 3:29 p.m.•61 views

CVE-2018-12543

In Eclipse Mosquitto versions 1.5 to 1.5.2 inclusive, if a message is published to Mosquitto that has a topic starting with $, but that is not $SYS, e.g. $test/test, then an assert is triggered that should otherwise not be reachable and Mosquitto will exit.

7.5CVSS7.2AI score0.02456EPSS

CVE•added 2023/10/18 9:15 a.m.•55 views

CVE-2023-5632

In Eclipse Mosquito before and including 2.0.5, establishing a connection to the mosquitto server without sending data causes the EPOLLOUT event to be added, which results excessive CPU consumption. This could be used by a malicious actor to perform denial of service type attack. This issue is fixe...

7.5CVSS7.1AI score0.00094EPSS

CVE•added 2018/12/13 8:29 p.m.•39 views

CVE-2018-20145

Eclipse Mosquitto 1.5.x before 1.5.5 allows ACL bypass: if the option per_listener_settings was set to true, and the default listener was in use, and the default listener specified an acl_file, then the acl file was being ignored.

7.5CVSS7.3AI score0.00226EPSS