Heap-based Buffer Overflow Vulnerability in Cesanta Mongoose 7.10 MQTT_CMD_PUBLISH Parsed Message Length Validation

Heap-based Buffer Overflow Vulnerability in Cesanta Mongoose 7.10 MQTT_CMD_PUBLISH Parsed Message Length Validation

CVE-2023-2905 · HIGH Severity

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Due to a failure in validating the length of a provided MQTT_CMD_PUBLISH parsed message with a variable length header, Cesanta Mongoose, an embeddable web server, version 7.10 is susceptible to a heap-based buffer overflow vulnerability in the default configuration. Version 7.9 and prior does not appear to be vulnerable. This issue is resolved in version 7.11.

Learn more about our Web App Pen Testing.