CVE-2025-10543 Overview
CVE-2025-10543 is an Integer Overflow vulnerability discovered in the Eclipse Paho Go MQTT v3.1 library (paho.mqtt.golang) affecting versions 1.5.0 and earlier. The vulnerability occurs when UTF-8 encoded strings passed into the library exceed 65535 bytes, causing incorrect encoding due to an unsafe integer conversion. This flaw can result in unexpected content in MQTT packets sent to the server, potentially leaking sensitive data from one packet field into another.
The core issue stems from the library converting data lengths from int64/int32 (depending on CPU architecture) to int16 without proper overflow checks. When the original data exceeds the maximum value representable by int16 (65535), the length field is truncated while the full data is still written, causing packet corruption and potential information disclosure.
Critical Impact
MQTT topic data may leak into message body content in PUBLISH packets, potentially exposing sensitive topic information or causing protocol-level message corruption in IoT and messaging applications.
Affected Products
- Eclipse Paho Go MQTT Library (paho.mqtt.golang) versions ≤1.5.0
- Applications using the affected library with UTF-8 strings exceeding 65535 bytes
- IoT systems and messaging platforms built on the vulnerable library versions
Discovery Timeline
- December 2, 2025 - CVE-2025-10543 published to NVD
- December 2, 2025 - Last updated in NVD database
Technical Details for CVE-2025-10543
Vulnerability Analysis
This vulnerability is classified as CWE-197 (Numeric Truncation Error), carrying a CVSS 4.0 score of 6.3 (Medium severity). The attack vector is network-based with low attack complexity, though it requires specific preconditions to be met for successful exploitation.
The CVSS vector string is: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Key CVSS metrics indicate:
- Attack Vector (AV): Network - exploitable remotely
- Attack Complexity (AC): Low - no specialized conditions required
- Attack Requirements (AT): Present - specific preconditions needed
- Privileges Required (PR): None - no authentication needed
- Confidentiality Impact (VC): Low - limited information disclosure
The EPSS (Exploit Prediction Scoring System) probability is 0.055% with a percentile ranking of 17.41, indicating a relatively low likelihood of active exploitation in the wild.
Root Cause
The root cause is an unsafe integer type conversion in the library's string encoding logic. When processing UTF-8 strings, the library:
- Receives data with a length stored as int64 or int32 (platform-dependent)
- Converts this length to int16 without validating that the value fits within the int16 range (0 to 65535)
- Writes the truncated int16 length value to the packet
- Writes the full original data to the packet
This type coercion without bounds checking means that a 70,000-byte topic name would have its length field set to approximately 4,465 (70000 mod 65536), while all 70,000 bytes of actual data are written to the packet.
Attack Vector
The vulnerability can be triggered through network-accessible MQTT communication channels. An attacker or application inadvertently using oversized UTF-8 strings (topics, client IDs, or other string fields) could cause:
- Information Leakage: Topic names exceeding the length boundary may have their content leak into subsequent packet fields, such as the message payload in PUBLISH packets
- Protocol Corruption: Malformed packets may cause unexpected behavior in MQTT brokers or other clients parsing the corrupted data
- Data Integrity Issues: Message content may become intermixed with topic data, corrupting application-layer information
The vulnerability does not require authentication and can be triggered by any client sending oversized strings through the affected library. For detailed technical information, refer to the Eclipse security vulnerability report.
Detection Methods for CVE-2025-10543
Indicators of Compromise
- Malformed MQTT packets with mismatched length fields and actual data sizes
- MQTT broker logs showing parsing errors or unexpected packet structures
- Application logs indicating message corruption or unexpected topic/payload content
- Network traffic containing MQTT packets where topic data appears in message body sections
Detection Strategies
Dependency Analysis:
- Audit Go module dependencies for paho.mqtt.golang versions ≤1.5.0
- Use go list -m all | grep paho.mqtt.golang to identify vulnerable library versions
- Implement Software Composition Analysis (SCA) tools in CI/CD pipelines
Network Monitoring:
- Deploy deep packet inspection for MQTT traffic to identify malformed packets
- Monitor for MQTT packets with length field discrepancies
- Alert on PUBLISH packets where topic boundaries appear corrupted
Application-Level Detection:
- Implement logging for all MQTT string fields exceeding 60,000 bytes
- Add validation checks for UTF-8 string lengths before library calls
- Monitor for message integrity failures in consuming applications
Monitoring Recommendations
Organizations using the Eclipse Paho Go MQTT library should implement continuous monitoring:
- Inventory Management: Maintain an accurate inventory of all applications using paho.mqtt.golang
- Version Tracking: Implement automated tracking of library versions across all deployments
- Traffic Analysis: Monitor MQTT broker logs for protocol-level anomalies
- Integrity Checks: Implement message integrity validation on critical MQTT communications
SentinelOne Singularity provides visibility into application dependencies and can help identify systems running vulnerable library versions through its asset inventory and vulnerability management capabilities.
How to Mitigate CVE-2025-10543
Immediate Actions Required
- Upgrade paho.mqtt.golang to a patched version when available from Eclipse
- Implement input validation to reject UTF-8 strings exceeding 65535 bytes before passing to the library
- Review application code for any usage patterns that could generate oversized string fields
- Monitor MQTT traffic for signs of packet corruption or information leakage
Patch Information
The vulnerability was disclosed through the Eclipse security vulnerability reporting process. Organizations should monitor the Eclipse Paho Go MQTT repository for official patch releases and upgrade guidance.
When a patched version becomes available:
- Update the dependency in go.mod: require github.com/eclipse/paho.mqtt.golang v1.x.x (patched version)
- Run go mod tidy to update the dependency tree
- Rebuild and redeploy affected applications
- Verify the fix by testing with strings near and exceeding the 65535-byte boundary
Workarounds
Until an official patch is available, implement application-level mitigations:
Input Validation Approach:
Applications should validate all UTF-8 string inputs before passing them to the MQTT library. Implement length checks on topic names, client identifiers, and other string fields to ensure they do not exceed 65535 bytes. This validation should occur at the application boundary, before any data reaches the vulnerable library code.
String Truncation Strategy:
For applications where oversized strings may legitimately occur, implement a truncation mechanism that safely limits string lengths to 65535 bytes while logging truncation events for audit purposes. This approach prevents the integer overflow while maintaining application functionality.
Network Segmentation:
Isolate MQTT communications within trusted network segments to limit potential exposure of leaked information. Implement TLS encryption for all MQTT traffic to protect data in transit, regardless of packet-level corruption.
# Check current paho.mqtt.golang version in your Go project
go list -m -versions github.com/eclipse/paho.mqtt.golang
# Update to latest version (when patch is available)
go get github.com/eclipse/paho.mqtt.golang@latest
go mod tidy
# Verify updated version
go list -m github.com/eclipse/paho.mqtt.golang
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
