Refine your search
11 vulnerabilities found for nanomq by nanomq
CVE-2026-32135 (GCVE-0-2026-32135)
Vulnerability from cvelistv5
Published
2026-04-20 19:23
Modified
2026-04-21 13:33
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-122 - Heap-based Buffer Overflow
Summary
NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Versions prior to 0.24.11 have a remotely triggerable heap buffer overflow in the `uri_param_parse` function of NanoMQ's REST API. The vulnerability occurs due to an off-by-one error when allocating memory for query parameter keys and values, allowing an attacker to write a null byte beyond the allocated buffer. This can be triggered via a crafted HTTP request. Version 0.24.11 patches the issue.
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32135",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-21T13:32:34.532703Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T13:33:14.607Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "nanomq",
"vendor": "nanomq",
"versions": [
{
"status": "affected",
"version": "\u003c 0.24.11"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Versions prior to 0.24.11 have a remotely triggerable heap buffer overflow in the `uri_param_parse` function of NanoMQ\u0027s REST API. The vulnerability occurs due to an off-by-one error when allocating memory for query parameter keys and values, allowing an attacker to write a null byte beyond the allocated buffer. This can be triggered via a crafted HTTP request. Version 0.24.11 patches the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122: Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T19:23:09.704Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nanomq/nanomq/security/advisories/GHSA-6w96-9qw7-m599",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nanomq/nanomq/security/advisories/GHSA-6w96-9qw7-m599"
},
{
"name": "https://github.com/nanomq/nanomq/issues/2247",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nanomq/nanomq/issues/2247"
},
{
"name": "https://github.com/nanomq/nanomq/commit/69a97b3b39cc218f044f1c8896f4d3d8757bb394",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nanomq/nanomq/commit/69a97b3b39cc218f044f1c8896f4d3d8757bb394"
}
],
"source": {
"advisory": "GHSA-6w96-9qw7-m599",
"discovery": "UNKNOWN"
},
"title": "NanoMQ has Heap Buffer Overflow in URI Parameter Parsing"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-32135",
"datePublished": "2026-04-20T19:23:09.704Z",
"dateReserved": "2026-03-10T22:19:36.546Z",
"dateUpdated": "2026-04-21T13:33:14.607Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34608 (GCVE-0-2026-34608)
Vulnerability from cvelistv5
Published
2026-04-02 17:52
Modified
2026-04-02 19:10
Severity ?
VLAI Severity ?
EPSS score ?
Summary
NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Prior to version 0.24.10, in NanoMQ's webhook_inproc.c, the hook_work_cb() function processes nng messages by parsing the message body with cJSON_Parse(body). The body is obtained from nng_msg_body(msg), which is a binary buffer without a guaranteed null terminator. This leads to an out-of-bounds read (OOB read) as cJSON_Parse reads until it finds a \0, potentially accessing memory beyond the allocated buffer (e.g., nng_msg metadata or adjacent heap/stack). The issue is often masked by nng's allocation padding (extra 32 bytes of zeros for non-power-of-two sizes <1024 or non-aligned). The overflow is reliably triggered when the JSON payload length is a power-of-two >=1024 (no padding added). This issue has been patched in version 0.24.10.
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34608",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-02T19:10:50.684727Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T19:10:58.813Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "nanomq",
"vendor": "nanomq",
"versions": [
{
"status": "affected",
"version": "\u003c 0.24.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Prior to version 0.24.10, in NanoMQ\u0027s webhook_inproc.c, the hook_work_cb() function processes nng messages by parsing the message body with cJSON_Parse(body). The body is obtained from nng_msg_body(msg), which is a binary buffer without a guaranteed null terminator. This leads to an out-of-bounds read (OOB read) as cJSON_Parse reads until it finds a \\0, potentially accessing memory beyond the allocated buffer (e.g., nng_msg metadata or adjacent heap/stack). The issue is often masked by nng\u0027s allocation padding (extra 32 bytes of zeros for non-power-of-two sizes \u003c1024 or non-aligned). The overflow is reliably triggered when the JSON payload length is a power-of-two \u003e=1024 (no padding added). This issue has been patched in version 0.24.10."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125: Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-457",
"description": "CWE-457: Use of Uninitialized Variable",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T17:52:51.813Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nanomq/nanomq/security/advisories/GHSA-8p57-jxj9-3qq3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nanomq/nanomq/security/advisories/GHSA-8p57-jxj9-3qq3"
},
{
"name": "https://github.com/nanomq/nanomq/commit/9499a4b2c47998a6aadb69238c18b9e6771b1691",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nanomq/nanomq/commit/9499a4b2c47998a6aadb69238c18b9e6771b1691"
},
{
"name": "https://github.com/nanomq/nanomq/releases/tag/0.24.10",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nanomq/nanomq/releases/tag/0.24.10"
}
],
"source": {
"advisory": "GHSA-8p57-jxj9-3qq3",
"discovery": "UNKNOWN"
},
"title": "nanomq: Heap-Buffer-Overflow in webhook_inproc.c via cJSON_Parse OOB Read"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34608",
"datePublished": "2026-04-02T17:52:51.813Z",
"dateReserved": "2026-03-30T17:15:52.500Z",
"dateUpdated": "2026-04-02T19:10:58.813Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32696 (GCVE-0-2026-32696)
Vulnerability from cvelistv5
Published
2026-03-30 20:11
Modified
2026-03-31 15:24
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-476 - NULL Pointer Dereference
Summary
NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. In NanoMQ version 0.24.6, after enabling auth.http_auth (HTTP authentication), when a client connects to the broker using MQTT CONNECT without providing username/password, and the configuration params uses the placeholders %u / %P (e.g., username="%u", password="%P"), the HTTP request construction phase enters auth_http.c:set_data(). This results in calling strlen() on a NULL pointer, causing a SIGSEGV crash. This crash can be triggered remotely, resulting in a denial of service. This issue has been patched in version 0.24.7.
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32696",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-31T15:23:56.365413Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T15:24:06.506Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "nanomq",
"vendor": "nanomq",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.24.6, \u003c 0.24.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. In NanoMQ version 0.24.6, after enabling auth.http_auth (HTTP authentication), when a client connects to the broker using MQTT CONNECT without providing username/password, and the configuration params uses the placeholders %u / %P (e.g., username=\"%u\", password=\"%P\"), the HTTP request construction phase enters auth_http.c:set_data(). This results in calling strlen() on a NULL pointer, causing a SIGSEGV crash. This crash can be triggered remotely, resulting in a denial of service. This issue has been patched in version 0.24.7."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476: NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-30T20:11:30.580Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nanomq/nanomq/security/advisories/GHSA-77f4-wvq8-mp3p",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nanomq/nanomq/security/advisories/GHSA-77f4-wvq8-mp3p"
},
{
"name": "https://github.com/nanomq/NanoNNG/pull/1394",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nanomq/NanoNNG/pull/1394"
},
{
"name": "https://github.com/nanomq/NanoNNG/commit/c20aa27e5290bb480a5315099952480d35f37a8b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nanomq/NanoNNG/commit/c20aa27e5290bb480a5315099952480d35f37a8b"
},
{
"name": "https://github.com/nanomq/nanomq/releases/tag/0.24.7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nanomq/nanomq/releases/tag/0.24.7"
}
],
"source": {
"advisory": "GHSA-77f4-wvq8-mp3p",
"discovery": "UNKNOWN"
},
"title": "NanoMQ HTTP Auth: Missing username/password can trigger a NULL-pointer strlen() in auth_http.c:set_data(), causing a process crash \u2014 SIGSEGV, remotely triggerable"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-32696",
"datePublished": "2026-03-30T20:11:30.580Z",
"dateReserved": "2026-03-13T14:33:42.822Z",
"dateUpdated": "2026-03-31T15:24:06.506Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25627 (GCVE-0-2026-25627)
Vulnerability from cvelistv5
Published
2026-03-30 20:11
Modified
2026-03-31 19:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-125 - Out-of-bounds Read
Summary
NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Prior to version 0.24.8, NanoMQ’s MQTT-over-WebSocket transport can be crashed by sending an MQTT packet with a deliberately large Remaining Length in the fixed header while providing a much shorter actual payload. The code path copies Remaining Length bytes without verifying that the current receive buffer contains that many bytes, resulting in an out-of-bounds read (ASAN reports OOB / crash). This is remotely triggerable over the WebSocket listener. This issue has been patched in version 0.24.8.
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25627",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-31T18:38:44.968276Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T19:09:34.784Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/nanomq/nanomq/security/advisories/GHSA-w4rh-v3h2-j29x"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "nanomq",
"vendor": "nanomq",
"versions": [
{
"status": "affected",
"version": "\u003c 0.24.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Prior to version 0.24.8, NanoMQ\u2019s MQTT-over-WebSocket transport can be crashed by sending an MQTT packet with a deliberately large Remaining Length in the fixed header while providing a much shorter actual payload. The code path copies Remaining Length bytes without verifying that the current receive buffer contains that many bytes, resulting in an out-of-bounds read (ASAN reports OOB / crash). This is remotely triggerable over the WebSocket listener. This issue has been patched in version 0.24.8."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125: Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-30T20:11:08.586Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nanomq/nanomq/security/advisories/GHSA-w4rh-v3h2-j29x",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nanomq/nanomq/security/advisories/GHSA-w4rh-v3h2-j29x"
},
{
"name": "https://github.com/nanomq/NanoNNG/pull/1405",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nanomq/NanoNNG/pull/1405"
},
{
"name": "https://github.com/nanomq/NanoNNG/commit/e80b30bad6d855593a68d18f2785bfaca6faf09e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nanomq/NanoNNG/commit/e80b30bad6d855593a68d18f2785bfaca6faf09e"
},
{
"name": "https://github.com/nanomq/nanomq/releases/tag/0.24.8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nanomq/nanomq/releases/tag/0.24.8"
}
],
"source": {
"advisory": "GHSA-w4rh-v3h2-j29x",
"discovery": "UNKNOWN"
},
"title": "nanomq: OOB Read / Crash (DoS) via Malformed MQTT Remaining Length over WebSocket"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25627",
"datePublished": "2026-03-30T20:11:08.586Z",
"dateReserved": "2026-02-04T05:15:41.789Z",
"dateUpdated": "2026-03-31T19:09:34.784Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-21888 (GCVE-0-2026-21888)
Vulnerability from cvelistv5
Published
2026-03-11 15:22
Modified
2026-03-11 15:35
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-125 - Out-of-bounds Read
Summary
NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. MQTT v5 Variable Byte Integer parsing out-of-bounds: get_var_integer() accepts 5-byte varints without bounds checks; reliably triggers OOB read / crash when built with ASan. This affects 0.24.6 and earlier.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-21888",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-11T15:35:24.683645Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-11T15:35:36.678Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "nanomq",
"vendor": "nanomq",
"versions": [
{
"status": "affected",
"version": "\u003c= 0.24.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. MQTT v5 Variable Byte Integer parsing out-of-bounds: get_var_integer() accepts 5-byte varints without bounds checks; reliably triggers OOB read / crash when built with ASan. This affects 0.24.6 and earlier."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125: Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-11T15:22:32.463Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nanomq/nanomq/security/advisories/GHSA-cggc-6m7w-j7x5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nanomq/nanomq/security/advisories/GHSA-cggc-6m7w-j7x5"
},
{
"name": "https://github.com/nanomq/nanomq/issues/2192",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nanomq/nanomq/issues/2192"
}
],
"source": {
"advisory": "GHSA-cggc-6m7w-j7x5",
"discovery": "UNKNOWN"
},
"title": "MQTT v5 Variable Byte Integer parsing out-of-bounds: get_var_integer()"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-21888",
"datePublished": "2026-03-11T15:22:32.463Z",
"dateReserved": "2026-01-05T17:24:36.929Z",
"dateUpdated": "2026-03-11T15:35:36.678Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22040 (GCVE-0-2026-22040)
Vulnerability from cvelistv5
Published
2026-03-04 21:55
Modified
2026-03-05 15:42
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-416 - Use After Free
Summary
NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. In version 0.24.6, by generating a combined traffic pattern of high-frequency publishes and rapid reconnect/kick-out using the same ClientID and massive subscribe/unsubscribe jitter, it is possible to reliably trigger heap memory corruption in the Broker process, causing it to exit immediately with SIGABRT due to free(): invalid pointer. As of time of publication, no known patched versions are available.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22040",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-05T15:29:16.882273Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-05T15:42:26.352Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "nanomq",
"vendor": "nanomq",
"versions": [
{
"status": "affected",
"version": "= 0.24.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. In version 0.24.6, by generating a combined traffic pattern of high-frequency publishes and rapid reconnect/kick-out using the same ClientID and massive subscribe/unsubscribe jitter, it is possible to reliably trigger heap memory corruption in the Broker process, causing it to exit immediately with SIGABRT due to free(): invalid pointer. As of time of publication, no known patched versions are available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416: Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-04T21:55:11.238Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nanomq/nanomq/security/advisories/GHSA-v57q-w88m-424r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nanomq/nanomq/security/advisories/GHSA-v57q-w88m-424r"
}
],
"source": {
"advisory": "GHSA-v57q-w88m-424r",
"discovery": "UNKNOWN"
},
"title": "NanoMQ 0.24.6 Use-After-Free Leading to Heap Corruption and Broker Crash"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-22040",
"datePublished": "2026-03-04T21:55:11.238Z",
"dateReserved": "2026-01-05T22:30:38.719Z",
"dateUpdated": "2026-03-05T15:42:26.352Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68699 (GCVE-0-2025-68699)
Vulnerability from cvelistv5
Published
2026-02-04 19:25
Modified
2026-02-04 19:51
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-476 - NULL Pointer Dereference
Summary
NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. In version 0.24.6, NanoMQ has a protocol parsing / forwarding inconsistency when handling shared subscriptions ($share/). A malformed SUBSCRIBE topic such as $share/ab (missing the second /) is not strictly validated during the subscription stage, so the invalid Topic Filter is stored into the subscription table. Later, when any PUBLISH matches this subscription, the broker send path (nmq_pipe_send_start_v4/v5) performs a second $share/ parsing using strchr() and increments the returned pointer without NULL checks. If the second strchr() returns NULL, sub_topic++ turns the pointer into an invalid address (e.g. 0x1). This invalid pointer is then passed into topic_filtern(), which triggers strlen() and crashes with SIGSEGV. The crash is stable and remotely triggerable. This issue has been patched in version 0.24.7.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68699",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-04T19:43:58.427047Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T19:51:10.769Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "nanomq",
"vendor": "nanomq",
"versions": [
{
"status": "affected",
"version": "= 0.24.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. In version 0.24.6, NanoMQ has a protocol parsing / forwarding inconsistency when handling shared subscriptions ($share/). A malformed SUBSCRIBE topic such as $share/ab (missing the second /) is not strictly validated during the subscription stage, so the invalid Topic Filter is stored into the subscription table. Later, when any PUBLISH matches this subscription, the broker send path (nmq_pipe_send_start_v4/v5) performs a second $share/ parsing using strchr() and increments the returned pointer without NULL checks. If the second strchr() returns NULL, sub_topic++ turns the pointer into an invalid address (e.g. 0x1). This invalid pointer is then passed into topic_filtern(), which triggers strlen() and crashes with SIGSEGV. The crash is stable and remotely triggerable. This issue has been patched in version 0.24.7."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476: NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T19:25:12.716Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nanomq/nanomq/security/advisories/GHSA-qv5f-c6v2-2f8h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nanomq/nanomq/security/advisories/GHSA-qv5f-c6v2-2f8h"
},
{
"name": "https://github.com/nanomq/nanomq/commit/89d68d678e7f841ae7baa45cba8d9bc7ddc9ef4b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nanomq/nanomq/commit/89d68d678e7f841ae7baa45cba8d9bc7ddc9ef4b"
}
],
"source": {
"advisory": "GHSA-qv5f-c6v2-2f8h",
"discovery": "UNKNOWN"
},
"title": "NanoMQ $share/ Subscription Validation and Forwarding Parsing Inconsistency: NULL Pointer Increment Causes Crash"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-68699",
"datePublished": "2026-02-04T19:25:12.716Z",
"dateReserved": "2025-12-23T17:11:35.077Z",
"dateUpdated": "2026-02-04T19:51:10.769Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-66023 (GCVE-0-2025-66023)
Vulnerability from cvelistv5
Published
2026-01-01 15:11
Modified
2026-01-05 20:04
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-416 - Use After Free
Summary
NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Versions prior to 0.24.5 have a Heap-Use-After-Free (UAF) vulnerability within the MQTT bridge client component (implemented via the underlying NanoNNG library). The vulnerability is triggered when NanoMQ acts as a bridge connecting to a remote MQTT broker. A malicious remote broker can trigger a crash (Denial of Service) or potential memory corruption by accepting the connection and immediately sending a malformed packet sequence. Version 0.34.5 contains a patch. The patch enforces stricter protocol adherence in the MQTT client SDK embedded in NanoMQ. Specifically, it ensures that CONNACK is always the first packet processed in the line. This prevents the state confusion that led to the Heap-Use-After-Free (UAF) when a malicious server sent a malformed packet sequence immediately after connection establishment. As a workaround, validate the remote broker before bridging.
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-66023",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-05T20:04:24.756709Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T20:04:36.489Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "nanomq",
"vendor": "nanomq",
"versions": [
{
"status": "affected",
"version": "\u003c 0.24.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Versions prior to 0.24.5 have a Heap-Use-After-Free (UAF) vulnerability within the MQTT bridge client component (implemented via the underlying NanoNNG library). The vulnerability is triggered when NanoMQ acts as a bridge connecting to a remote MQTT broker. A malicious remote broker can trigger a crash (Denial of Service) or potential memory corruption by accepting the connection and immediately sending a malformed packet sequence. Version 0.34.5 contains a patch. The patch enforces stricter protocol adherence in the MQTT client SDK embedded in NanoMQ. Specifically, it ensures that CONNACK is always the first packet processed in the line. This prevents the state confusion that led to the Heap-Use-After-Free (UAF) when a malicious server sent a malformed packet sequence immediately after connection establishment. As a workaround, validate the remote broker before bridging."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416: Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-01T15:11:46.028Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nanomq/nanomq/security/advisories/GHSA-24f7-q5hh-27hf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nanomq/nanomq/security/advisories/GHSA-24f7-q5hh-27hf"
},
{
"name": "https://github.com/nanomq/nanomq/issues/2145",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nanomq/nanomq/issues/2145"
},
{
"name": "https://github.com/nanomq/NanoNNG/pull/1365",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nanomq/NanoNNG/pull/1365"
}
],
"source": {
"advisory": "GHSA-24f7-q5hh-27hf",
"discovery": "UNKNOWN"
},
"title": "NanoMQ has Use-After-Free of malformed bridging message"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-66023",
"datePublished": "2026-01-01T15:11:46.028Z",
"dateReserved": "2025-11-21T01:08:02.613Z",
"dateUpdated": "2026-01-05T20:04:36.489Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-59946 (GCVE-0-2025-59946)
Vulnerability from cvelistv5
Published
2025-12-27 00:40
Modified
2025-12-29 15:54
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-416 - Use After Free
Summary
NanoMQ MQTT Broker (NanoMQ) is an Edge Messaging Platform. Prior to version 0.24.2, there is a classical data racing issue about sub info list which could result in heap use after free crash. This issue has been patched in version 0.24.2.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59946",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-29T15:54:12.069408Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-29T15:54:27.851Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "nanomq",
"vendor": "nanomq",
"versions": [
{
"status": "affected",
"version": "\u003c 0.24.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "NanoMQ MQTT Broker (NanoMQ) is an Edge Messaging Platform. Prior to version 0.24.2, there is a classical data racing issue about sub info list which could result in heap use after free crash. This issue has been patched in version 0.24.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416: Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-27T00:40:51.122Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nanomq/nanomq/security/advisories/GHSA-xg37-23w7-72p5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nanomq/nanomq/security/advisories/GHSA-xg37-23w7-72p5"
},
{
"name": "https://github.com/nanomq/nanomq/issues/1863",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nanomq/nanomq/issues/1863"
}
],
"source": {
"advisory": "GHSA-xg37-23w7-72p5",
"discovery": "UNKNOWN"
},
"title": "NanoMQ has a Use After Free vulnerability via sub info list"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-59946",
"datePublished": "2025-12-27T00:40:51.122Z",
"dateReserved": "2025-09-23T14:33:49.506Z",
"dateUpdated": "2025-12-29T15:54:27.851Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-59947 (GCVE-0-2025-59947)
Vulnerability from cvelistv5
Published
2025-12-15 20:19
Modified
2025-12-15 20:58
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Summary
NanoMQ is a messaging broker/bus for IoT Edge & SDV. Versions prior to 0.24.4 have a buffer overflow case while the PUBLISH packets trigger both shared subscription and vanila subscription. This is fixed in version 0.24.4. As a workaround, disable shared subscription.
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59947",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-15T20:58:18.904844Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-15T20:58:37.814Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "nanomq",
"vendor": "nanomq",
"versions": [
{
"status": "affected",
"version": "\u003c 0.24.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "NanoMQ is a messaging broker/bus for IoT Edge \u0026 SDV. Versions prior to 0.24.4 have a buffer overflow case while the PUBLISH packets trigger both shared subscription and vanila subscription. This is fixed in version 0.24.4. As a workaround, disable shared subscription."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-120",
"description": "CWE-120: Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-15T20:19:17.212Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nanomq/nanomq/security/advisories/GHSA-98f4-cmg8-x7f3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nanomq/nanomq/security/advisories/GHSA-98f4-cmg8-x7f3"
},
{
"name": "https://github.com/nanomq/nanomq/issues/2110",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nanomq/nanomq/issues/2110"
},
{
"name": "https://github.com/nanomq/nanomq/commit/5f5581054bb92f102cf99251e8af2f43763d457b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nanomq/nanomq/commit/5f5581054bb92f102cf99251e8af2f43763d457b"
}
],
"source": {
"advisory": "GHSA-98f4-cmg8-x7f3",
"discovery": "UNKNOWN"
},
"title": "NanoMQ has Buffer Overflow"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-59947",
"datePublished": "2025-12-15T20:19:17.212Z",
"dateReserved": "2025-09-23T14:33:49.506Z",
"dateUpdated": "2025-12-15T20:58:37.814Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-65953 (GCVE-0-2025-65953)
Vulnerability from cvelistv5
Published
2025-11-25 23:13
Modified
2025-11-26 16:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-416 - Use After Free
Summary
NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Prior to version 0.22.5, a Heap-Use-After-Free (UAF) vulnerability exists in the TCP transport component of NanoMQ, which relies on the underlying NanoNNG library (specifically in src/sp/transport/mqtt/broker_tcp.c). The vulnerability is due to improper resource management and premature cleanup of message and pipe structures under specific malformed MQTTV5 retain message traffic conditions. This issue has been patched in version 0.22.5.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-65953",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-26T16:10:04.750695Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-26T16:10:11.478Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "nanomq",
"vendor": "nanomq",
"versions": [
{
"status": "affected",
"version": "\u003c 0.22.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Prior to version 0.22.5, a Heap-Use-After-Free (UAF) vulnerability exists in the TCP transport component of NanoMQ, which relies on the underlying NanoNNG library (specifically in src/sp/transport/mqtt/broker_tcp.c). The vulnerability is due to improper resource management and premature cleanup of message and pipe structures under specific malformed MQTTV5 retain message traffic conditions. This issue has been patched in version 0.22.5."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416: Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-25T23:13:09.619Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nanomq/nanomq/security/advisories/GHSA-r95p-wjm8-2qxr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nanomq/nanomq/security/advisories/GHSA-r95p-wjm8-2qxr"
}
],
"source": {
"advisory": "GHSA-r95p-wjm8-2qxr",
"discovery": "UNKNOWN"
},
"title": "NanoMQ UAF of retain message due to invalid MQTTV5 properties"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-65953",
"datePublished": "2025-11-25T23:13:09.619Z",
"dateReserved": "2025-11-18T16:14:56.693Z",
"dateUpdated": "2025-11-26T16:10:11.478Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}