Skip to content

paho.mqtt.golang (1.5.0) Protocol Smuggling

Received on the security mailing list.

At Sonar, we are equally driven by studying and understanding real-world vulnerabilities and helping the open-source community secure their projects.

While researching the codebase of paho.mqtt.golang 1.5.0, we found and verified an Integer Truncation vulnerability in the MQTT message serialization, that we would like to disclose responsibly. I am attaching our technical advisory with the vulnerable code lines, steps to reproduce the issues, and our suggestions for their remediation. We will be happy to participate in the patch review process.

All reported issues are subject to a 90-day disclosure deadline, starting from this report. After 90 days elapse, we may publish parts of this report to help users protect themselves.

paho.mqtt.golang_1.5.0_Security_Advisory.pdf

@icraggs, would you mind having a look at the report? Thanks!

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

Copyright © Eclipse Foundation, Inc. All Rights Reserved.     Privacy Policy | Terms of Use | Copyright Agent