|Description||In Eclipse Mosquitto 1.5.0 to 1.6.5 inclusive, if a malicious MQTT client sends a SUBSCRIBE packet containing a topic that consists of approximately 65400 or more '/' characters, i.e. the topic hierarchy separator, then a stack overflow will occur.|
|Source||CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)|
Vulnerable and fixed packages
The table below lists information on source packages.
|mosquitto (PTS)||stretch (security), stretch||1.4.10-3+deb9u4||fixed|
|buster, buster (security)||1.5.7-1+deb10u1||fixed|
|bookworm, sid, bullseye||2.0.11-1||fixed|
The information below is based on the following data on fixed versions.
[stretch] - mosquitto <not-affected> (Vulnerable code introduced later)
Introduced by: https://github.com/eclipse/mosquitto/commit/883af8af5379092097c6552a7a4a8c52409d2566 (v1.5)
Fixed by: https://github.com/eclipse/mosquitto/commit/106675093177335b18521bc0e5ad1d95343ad652 (1.6.6)
Fixed by: https://github.com/eclipse/mosquitto/commit/84681d9728ceb7f6ea2b6751b4d87200d8a62f14 (1.5.9)
The issue manifests in versions 1.5.0 and onwards only, because some structs
increased in size enough to cause the stack overflow vulnerability for excessive
topic hierarchies. In earlier versions, the maximum possible hierarchy depth of
65535 wouldn't cause a stack overflow.