CVE-2024-10525
Published: 30 October 2024
Summary
CVE-2024-10525 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Eclipse Mosquitto. Its CVSS base score is 7.2 (High).
Operationally, ranked in the top 4.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
In Eclipse Mosquitto versions 1.3.2 through 2.0.18, a vulnerability in the libmosquitto client library allows an out-of-bounds memory access when processing a crafted SUBACK packet that contains no reason codes. The flaw occurs inside the on_subscribe callback and directly affects the mosquitto_sub and mosquitto_rr command-line clients. It is tracked under CWE-122 and CWE-787 and carries a CVSS 4.0 score of 7.2 with high impact on integrity and availability.
An attacker who controls or can impersonate an MQTT broker can send the malicious SUBACK packet to any connecting client that uses the vulnerable library. Successful exploitation results in memory corruption on the client, which may be leveraged to alter program behavior or cause a crash without requiring user interaction or elevated privileges on the client side.
The Mosquitto project addressed the issue in version 2.0.19, with the corrective change published in commit 8ab20b4ba4204fdcdec78cb4d9f03c944a6e0e1c. Debian subsequently released updated packages through its LTS channels to back-port the fix for affected installations. The associated EPSS score has remained near 0.18 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-33469
Vulnerability details
In Eclipse Mosquitto, from version 1.3.2 through 2.0.18, if a malicious broker sends a crafted SUBACK packet with no reason codes, a client using libmosquitto may make out of bounds memory access when acting in its on_subscribe callback. This affects…
more
the mosquitto_sub and mosquitto_rr clients.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.