Skip to content

[Eclipse Paho] paho.mqtt.golang (1.5.0) Protocol Smuggling

The Eclipse Foundation is a Common Vulnerabilities and Exposures (CVE) Numbering Authority. This issue it used to request and track the progress of the assignment of a CVE for a vulnerability in the project code for an Eclipse open source project.

Basic information

Project name: paho.mqtt.golang (Go MQTT v3.1 library)

Project id: iot.paho

Request type: publication

Versions affected: <=v1.5.0

Common Weakness Enumeration:

  • CWE-681 Incorrect Conversion between Numeric Types
  • CWE-197 Numeric Truncation Error

Common Vulnerability Scoring System: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Summary:

In Eclipse Paho Go MQTT v3.1 library (paho.mqtt.golang) versions <=1.5.0 UTF-8 encoded strings, passed into the library, may be incorrectly encoded if their length exceeds 65535 bytes. This may lead to unexpected content in packets sent to the server (for example, part of an MQTT topic may leak into the message body in a PUBLISH packet).

The issue arises because the length of the data passed in was converted from an int64/int32 (depending upon CPU) to an int16 without checks for overflows. The int16 length was then written, followed by the data (e.g. topic). This meant that when the data (e.g. topic) was over 65535 bytes then the amount of data written exceeds what the length field indicates. This could lead to a corrupt packet, or mean that the excess data leaks into another field (e.g. topic leaks into message body).

Links:

Tracking

This section will completed by the project team.

  • Reserve an entry only
  • We're ready for this issue to be reported to the central authority (i.e., make this public now)
  • (when applicable) The GitHub Security Advisory is ready to be published now

Note that for those projects that host their repositories on GitHub, the use of GitHub Security Advisories is recommended but is not required.

This section will be completed by the EMO.

CVE: CVE-2025-10543

  • All required information is provided
  • CVE Assigned
  • Pushed to Mitre
  • Accepted by Mitre
Edited by Lukas Pühringer
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

Copyright © Eclipse Foundation, Inc. All Rights Reserved.     Privacy Policy | Terms of Use | Copyright Agent