Skip to content

Mosquitto: Memory leaks

Basic information

Project name: Eclipse Mosquitto

Project id: iot.mosquitto

What are the affected versions?

2.0.18

We have not checked previous versions.

Details of the issue

We have found memory leaks on Mosquitto 2.0.18.

This vulnerability can be triggered by sending a specific sequence of the following packets:

CONNECT
SUBSCRIBE
UNSUBSCRIBE

We attach the ASan stack trace of the vulnerability as well as the hex-encoded bytes of the packets ("%x" is used as a hex prefix).

Steps to reproduce

Run the attached replay_mqtt_finding.py script against a Mosquitto 2.0.18 broker which has been instrumented with ASan (AddressSanitizer).

Do you know any mitigations of the issue?

No.

Credit request

If you assign a CVE, is it possible to register the requested CVE with our names and organization name? We are Roman Kraus, Steffen Lüdtke, Martin Schneider and Ramon Barakat of Fraunhofer FOKUS.

Best regards,
Roman Kraus

mosquitto_memory_leaks.zip

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

Copyright © Eclipse Foundation, Inc. All Rights Reserved.     Privacy Policy | Terms of Use | Copyright Agent