Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
mosquitto vulnerabilities and exploits
(subscribe to this query)
5.3
CVSSv3
CVE-2023-0809
In Mosquitto prior to 2.0.16, excessive memory is allocated based on malicious initial packets that are not CONNECT packets.
Eclipse Mosquitto
7.5
CVSSv3
CVE-2023-3592
In Mosquitto prior to 2.0.16, a memory leak occurs when clients send v5 CONNECT packets with a will message that contains invalid property types.
Eclipse Mosquitto
7.5
CVSSv3
CVE-2023-28366
The broker in Eclipse Mosquitto 1.3.2 up to and including 2.x prior to 2.0.16 has a memory leak that can be abused remotely when a client sends many QoS 2 messages with duplicate message IDs, and fails to respond to PUBREC commands. This occurs because of mishandling of EAGAIN fr...
Eclipse Mosquitto
7.5
CVSSv3
CVE-2023-5632
In Eclipse Mosquito before and including 2.0.5, establishing a connection to the mosquitto server without sending data causes the EPOLLOUT event to be added, which results excessive CPU consumption. This could be used by a malicious actor to perform denial of service type attack....
Eclipse Mosquitto
7.5
CVSSv3
CVE-2018-12543
In Eclipse Mosquitto versions 1.5 to 1.5.2 inclusive, if a message is published to Mosquitto that has a topic starting with $, but that is not $SYS, e.g. $test/test, then an assert is triggered that should otherwise not be reachable and Mosquitto will exit.
Eclipse Mosquitto
2 Github repositories
6.5
CVSSv3
CVE-2018-12546
In Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) when a client publishes a retained message to a topic, then has its access to that topic revoked, the retained message will still be published to clients that subscribe to that topic in the future. In some applications this ma...
Eclipse Mosquitto
8.1
CVSSv3
CVE-2018-12550
When Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) is configured to use an ACL file, and that ACL file is empty, or contains only comments or blank lines, then Mosquitto will treat this as though no ACL file has been defined and use a default allow policy. The new behaviour ...
Eclipse Mosquitto
8.1
CVSSv3
CVE-2018-12551
When Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) is configured to use a password file for authentication, any malformed data in the password file will be treated as valid. This typically means that the malformed data becomes a username and no password. If this occurs, clie...
Eclipse Mosquitto
5.4
CVSSv3
CVE-2019-11778
If an MQTT v5 client connects to Eclipse Mosquitto versions 1.6.0 to 1.6.4 inclusive, sets a last will and testament, sets a will delay interval, sets a session expiry interval, and the will delay interval is set longer than the session expiry interval, then a use after free erro...
Eclipse Mosquitto
7.5
CVSSv3
CVE-2018-20145
Eclipse Mosquitto 1.5.x prior to 1.5.5 allows ACL bypass: if the option per_listener_settings was set to true, and the default listener was in use, and the default listener specified an acl_file, then the acl file was being ignored.
Eclipse Mosquitto
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-3661
open redirect
CVE-2024-25512
CVE-2024-33788
command injection
SSTI
CVE-2024-0043
CVE-2024-29210
CVE-2024-25510
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
1
2
3
NEXT »