VDB
DEBIAN-CVE-2024-10525
DEBIAN-CVE-2024-10525
PUBLISHED
CVSS 9.800000190734863 CRITICAL
In Eclipse Mosquitto, from version 1.3.2 through 2.0.18, if a malicious broker sends a crafted SUBACK packet with no reason codes, a client using libmosquitto may make out of bounds memory access when acting in its on_subscribe callback. This affects the mosquitto_sub and mosquitto_rr clients.
Risk Scores
CVSS 3.1
9.800000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:14 | mosquitto | 0, 0, 0 |
| Debian:13 | mosquitto | 0, 0, 0 |
| Debian:12 | mosquitto | 0, 2.0.11-1.2, 2.0.11-1.2+deb12u1 |
| Debian:11 | mosquitto | 2.0.11-1+deb11u1, 2.0.11-1, 2.0.11-1 |
Exploit Intelligence
- async-iot.ts (github-poc)
Timeline
- Oct 30, 2024 CVE Published
- Apr 28, 2026 CVE Updated