Cyber Resilience

CVE-2024-10525

HighPublic PoC

Published: 30 October 2024

Published
30 October 2024
Modified
03 November 2025
KEV Added
Patch
CVSS Score v4 7.2 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.1751 95.2th percentile
Risk Priority 25 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-10525 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Eclipse Mosquitto. Its CVSS base score is 7.2 (High).

Operationally, ranked in the top 4.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

In Eclipse Mosquitto versions 1.3.2 through 2.0.18, a vulnerability in the libmosquitto client library allows an out-of-bounds memory access when processing a crafted SUBACK packet that contains no reason codes. The flaw occurs inside the on_subscribe callback and directly affects the mosquitto_sub and mosquitto_rr command-line clients. It is tracked under CWE-122 and CWE-787 and carries a CVSS 4.0 score of 7.2 with high impact on integrity and availability.

An attacker who controls or can impersonate an MQTT broker can send the malicious SUBACK packet to any connecting client that uses the vulnerable library. Successful exploitation results in memory corruption on the client, which may be leveraged to alter program behavior or cause a crash without requiring user interaction or elevated privileges on the client side.

The Mosquitto project addressed the issue in version 2.0.19, with the corrective change published in commit 8ab20b4ba4204fdcdec78cb4d9f03c944a6e0e1c. Debian subsequently released updated packages through its LTS channels to back-port the fix for affected installations. The associated EPSS score has remained near 0.18 with no material increase since disclosure.

EU & UK References

Vulnerability details

In Eclipse Mosquitto, from version 1.3.2 through 2.0.18, if a malicious broker sends a crafted SUBACK packet with no reason codes, a client using libmosquitto may make out of bounds memory access when acting in its on_subscribe callback. This affects…

more

the mosquitto_sub and mosquitto_rr clients.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

eclipse
mosquitto
1.3.2 — 2.0.19

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-787

Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.

References