DescriptionIn Eclipse Mosquitto 1.5.0 to 1.6.5 inclusive, if a malicious MQTT client sends a SUBSCRIBE packet containing a topic that consists of approximately 65400 or more '/' characters, i.e. the topic hierarchy separator, then a stack overflow will occur.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-1972-1, DSA-4570-1
Debian Bugs940654

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
mosquitto (PTS)buster, buster (security)1.5.7-1+deb10u1fixed
bullseye (security), bullseye2.0.11-1+deb11u1fixed
bookworm, bookworm (security)2.0.11-1.2+deb12u1fixed
sid, trixie2.0.18-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
mosquittosourcestretch(not affected)


[stretch] - mosquitto <not-affected> (Vulnerable code introduced later)
Introduced by: (v1.5)
Fixed by: (1.6.6)
Fixed by: (1.5.9)
The issue manifests in versions 1.5.0 and onwards only, because some structs
increased in size enough to cause the stack overflow vulnerability for excessive
topic hierarchies. In earlier versions, the maximum possible hierarchy depth of
65535 wouldn't cause a stack overflow.

Search for package or bug name: Reporting problems