Memory Leak Vulnerability in Eclipse Mosquitto MQTT Broker

Memory Leak Vulnerability in Eclipse Mosquitto MQTT Broker

CVE-2023-28366 · HIGH Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

The broker in Eclipse Mosquitto 1.3.2 through 2.x before 2.0.16 has a memory leak that can be abused remotely when a client sends many QoS 2 messages with duplicate message IDs, and fails to respond to PUBREC commands. This occurs because of mishandling of EAGAIN from the libc send function.

Learn more about our Web Application Penetration Testing UK.