Cyber Posture

CVE-2025-56353

HighPublic PoC

Published: 20 January 2026

Published
20 January 2026
Modified
03 February 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0007 21.6th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-56353 is a high-severity Missing Release of Memory after Effective Lifetime (CWE-401) vulnerability in Justdoit0910 Tinymqtt. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique.
Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

Remote exploitation of public-facing MQTT broker via malformed subscriptions to trigger application-level resource exhaustion DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

In tinyMQTT commit 6226ade15bd4f97be2d196352e64dd10937c1962 (2024-02-18), a memory leak occurs due to the broker's failure to validate or reject malformed UTF-8 strings in topic filters. An attacker can exploit this by sending repeated subscription requests with arbitrarily large or invalid filter…

more

payloads. Each request causes memory to be allocated for the malformed topic filter, but the broker does not free the associated memory, leading to unbounded heap growth and potential denial of service under sustained attack.

Deeper analysisAI

CVE-2025-56353 is a memory leak vulnerability in the tinyMQTT broker at commit 6226ade15bd4f97be2d196352e64dd10937c1962, dated 2024-02-18. The issue stems from the broker's failure to validate or reject malformed UTF-8 strings in topic filters, resulting in memory allocation for each malformed filter without subsequent deallocation. This affects the heap, as classified under CWE-401 (Memory Leak), with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction required. By sending repeated MQTT subscription requests containing arbitrarily large or invalid topic filter payloads, the attacker triggers ongoing memory allocation for each request. The broker does not free this memory, causing unbounded heap growth and eventual denial of service through resource exhaustion under sustained attack.

Mitigation details and further discussion are available in the GitHub issue at https://github.com/JustDoIt0910/tinyMQTT/issues/19. The vulnerability was published on 2026-01-20.

Details

CWE(s)
CWE-401

Affected Products

justdoit0910
tinymqtt
2024-02-18

CVEs Like This One

CVE-2025-20239Shared CWE-401
CVE-2025-21091Shared CWE-401
CVE-2025-1634Shared CWE-401
CVE-2026-25969Shared CWE-401
CVE-2026-31711Shared CWE-401
CVE-2026-25988Shared CWE-401
CVE-2026-24828Shared CWE-401
CVE-2026-4247Shared CWE-401
CVE-2026-20105Shared CWE-401
CVE-2026-1605Shared CWE-401

References