CVE-2024-10525 Overview
CVE-2024-10525 affects Eclipse Mosquitto, a widely deployed open-source MQTT broker and client library used in Internet of Things (IoT) and messaging architectures. The flaw resides in libmosquitto versions 1.3.2 through 2.0.18. A malicious broker can send a crafted SUBACK packet containing no reason codes, causing a connected client to perform an out-of-bounds memory access inside its on_subscribe callback. The mosquitto_sub and mosquitto_rr command-line clients are both impacted because they link against libmosquitto.
Critical Impact
A malicious or compromised MQTT broker can corrupt memory in any connected Mosquitto client, potentially crashing the client or enabling further exploitation of subscribers in IoT and telemetry pipelines.
Affected Products
- Eclipse Mosquitto libmosquitto versions 1.3.2 through 2.0.18
- mosquitto_sub client (bundled with affected versions)
- mosquitto_rr client (bundled with affected versions)
Discovery Timeline
- 2024-10-30 - CVE-2024-10525 published to the National Vulnerability Database (NVD)
- 2024-10 - Eclipse Foundation releases Mosquitto 2.0.19 with the fix
- 2025-02 - Debian LTS publishes a backported security update
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2024-10525
Vulnerability Analysis
The defect is an out-of-bounds memory access in the client-side handler for MQTT SUBACK packets. When a client subscribes to one or more topics, the broker is expected to reply with a SUBACK containing a reason code for each subscription. The vulnerable code in lib/handle_suback.c computes the number of granted QoS entries from the packet's remaining length without validating that at least one entry is present. When a broker sends a SUBACK with zero reason codes, the code proceeds to allocate a zero-length buffer and then dereferences or processes entries that do not exist, triggering out-of-bounds reads or writes during invocation of the client's on_subscribe callback.
The weakness is classified under CWE-122 (Heap-based Buffer Overflow) and CWE-787 (Out-of-bounds Write). Exploitation requires the client to connect to an attacker-controlled or compromised broker, which is realistic in federated IoT deployments and bridged broker topologies.
Root Cause
The handler in lib/handle_suback.c derives qos_count from remaining_length - pos and immediately uses it for memory allocation and iteration. No check enforced the MQTT protocol requirement that a SUBACK carry at least one reason code, allowing a malformed packet to drive subsequent buffer logic into undefined territory.
Attack Vector
The attacker operates an MQTT broker or intercepts broker traffic. When a vulnerable client subscribes to a topic, the broker responds with a crafted SUBACK whose payload terminates immediately after the variable header. The vulnerable client computes qos_count == 0, allocates a zero-byte granted_qos buffer, and then triggers the on_subscribe callback with invalid memory references.
qos_count = (int)(mosq->in_packet.remaining_length - mosq->in_packet.pos);
+ if(qos_count == 0) return MOSQ_ERR_PROTOCOL;
granted_qos = mosquitto__malloc((size_t)qos_count*sizeof(int));
if(!granted_qos){
#ifdef WITH_BROKER
Source: eclipse-mosquitto/mosquitto commit 8ab20b4 — the added guard rejects SUBACK packets with missing reason codes by returning MOSQ_ERR_PROTOCOL before any allocation occurs.
Detection Methods for CVE-2024-10525
Indicators of Compromise
- Unexpected crashes or segmentation faults in mosquitto_sub, mosquitto_rr, or custom applications linked against libmosquitto
- MQTT SUBACK packets with a remaining length that leaves no room for reason codes after the variable header
- Connections from Mosquitto clients to untrusted, public, or unverified broker endpoints
Detection Strategies
- Inventory all hosts running libmosquitto between versions 1.3.2 and 2.0.18 using software bill of materials (SBOM) tooling or package managers (dpkg -l mosquitto, rpm -q mosquitto).
- Inspect MQTT traffic at the network boundary for malformed SUBACK packets where the payload length is shorter than expected for the requested subscription count.
- Correlate client process crashes with preceding outbound MQTT sessions to identify potential exploitation attempts.
Monitoring Recommendations
- Log all outbound MQTT broker destinations from IoT gateways and edge devices to detect connections to unauthorized brokers.
- Enable core dump collection on devices running Mosquitto clients to support post-incident analysis.
- Track the Eclipse vulnerability report and Debian LTS announcements for downstream patch availability.
How to Mitigate CVE-2024-10525
Immediate Actions Required
- Upgrade libmosquitto and the Mosquitto client utilities to version 2.0.19 or later on all affected systems.
- For Debian-based distributions on long-term support, apply the security update referenced in the Debian LTS announcement.
- Restrict outbound MQTT connections so that clients only reach trusted, authenticated brokers.
Patch Information
The fix is upstream in Mosquitto 2.0.19, announced in the Mosquitto 2.0.19 release blog. The corrective change is captured in commit 8ab20b4 and adds a protocol validation check that rejects SUBACK packets with missing reason codes:
Client library:
- Don't allow SUBACK with missing reason codes.
Source: Mosquitto ChangeLog
Workarounds
- Configure clients to connect only to brokers under organizational control and enforce mutual TLS authentication to prevent rogue brokers from impersonating trusted endpoints.
- Use MQTT bridges or proxies that validate SUBACK packet structure before forwarding traffic to downstream clients.
- Where patching is not yet feasible, avoid using mosquitto_sub and mosquitto_rr against untrusted brokers and isolate IoT clients on segmented networks.
# Verify the installed Mosquitto client library version
mosquitto_sub --help | head -1
dpkg -l | grep -E 'mosquitto|libmosquitto'
# Upgrade on Debian/Ubuntu after the security update is available
sudo apt-get update && sudo apt-get install --only-upgrade mosquitto mosquitto-clients libmosquitto1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
