CVE-2025-10543 Overview
CVE-2025-10543 is an integer truncation vulnerability in the Eclipse Paho Go MQTT library (paho.mqtt.golang) versions 1.5.0 and earlier. The library converts UTF-8 string lengths from int64 or int32 to int16 without overflow checks. Strings exceeding 65535 bytes produce corrupted MQTT packets in which excess data leaks into adjacent protocol fields. An MQTT topic over the size limit can spill into the message body of a PUBLISH packet, exposing data to unintended recipients. The flaw is tracked under [CWE-197: Numeric Truncation Error].
Critical Impact
Oversized UTF-8 inputs can leak topic data into MQTT message bodies, causing information disclosure to MQTT brokers and subscribers.
Affected Products
- Eclipse Paho MQTT Go client library (paho.mqtt.golang) versions <=1.5.0
- Go applications using the MQTT v3.1 client implementation
- MQTT publishers transmitting topics or payloads exceeding 65535 bytes
Discovery Timeline
- 2025-12-02 - CVE-2025-10543 published to NVD
- 2026-01-16 - Last updated in NVD database
Technical Details for CVE-2025-10543
Vulnerability Analysis
The Eclipse Paho Go MQTT v3.1 library encodes UTF-8 strings into MQTT packets using a length-prefixed format. MQTT specifies a 16-bit unsigned length field followed by the string bytes. The library accepts string lengths typed as int64 or int32 depending on the host CPU architecture. The encoding routine casts that length directly to int16 without validating the value fits within the 16-bit range.
When the input exceeds 65535 bytes, the truncated length field no longer matches the actual byte count written to the buffer. The library writes the truncated length, then writes the full payload. The MQTT broker parses the declared length and treats subsequent bytes as the next protocol field. Excess bytes from an oversized topic flow into the message payload, and excess payload bytes can shift the parser into adjacent control data.
Root Cause
The root cause is an unchecked numeric conversion from a wide integer type to int16. The encoder omits bounds checking before truncation, which violates the MQTT specification's 65535-byte string limit. The mismatch between the declared length and the written byte count desynchronizes the broker's packet parser.
Attack Vector
Exploitation requires an application using the affected client to publish a message with a topic or payload longer than 65535 bytes. An attacker who controls input feeding into MQTT topics or payloads can trigger the truncation. The result is unintended data disclosure to the MQTT broker and any subscriber receiving the malformed PUBLISH packet. See the Eclipse GitLab Vulnerability Report for additional technical context.
Detection Methods for CVE-2025-10543
Indicators of Compromise
- MQTT PUBLISH packets with declared topic lengths near 0 followed by unusually large payloads
- Subscriber clients receiving messages containing fragments of topic strings prepended to the expected payload
- Broker parse errors or unexpected disconnections correlated with publishers running affected Go client versions
Detection Strategies
- Inventory Go applications and dependencies for github.com/eclipse/paho.mqtt.golang at version 1.5.0 or earlier using go list -m all or SBOM tooling
- Inspect MQTT broker logs for malformed packet errors, oversized PUBLISH frames, or protocol violations from specific client IDs
- Capture network traffic on MQTT ports (1883, 8883) and parse for PUBLISH packets where remaining-length exceeds the declared topic length plus payload
Monitoring Recommendations
- Alert on MQTT client publishes exceeding 65535-byte topic or payload sizes at the application layer
- Track dependency versions in CI/CD pipelines and fail builds that pin vulnerable Paho Go releases
- Forward MQTT broker access and error logs to a centralized logging platform for protocol anomaly correlation
How to Mitigate CVE-2025-10543
Immediate Actions Required
- Identify all Go services importing paho.mqtt.golang at version 1.5.0 or below
- Upgrade to a fixed release of the Eclipse Paho Go MQTT library as published in the Eclipse GitLab Vulnerability Report
- Audit application code paths that build MQTT topics or payloads from untrusted or unbounded input
Patch Information
Eclipse maintainers tracked remediation through the Eclipse GitLab Vulnerability Report. Consumers should update paho.mqtt.golang to a version above 1.5.0 once published and rebuild affected binaries. Verify the upgrade with go mod tidy and redeploy MQTT publishers and subscribers.
Workarounds
- Enforce application-level length validation on every MQTT topic and payload before calling Publish, rejecting values over 65535 bytes
- Limit user-controlled data that can be concatenated into MQTT topics, such as device identifiers or routing keys
- Configure MQTT brokers to reject malformed packets and disconnect clients that violate protocol length constraints
# Configuration example
go get github.com/eclipse/paho.mqtt.golang@latest
go mod tidy
go build ./...
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
