CVE-2025-66217 Overview
CVE-2025-66217 is an integer underflow vulnerability in the MQTT parsing logic of AIS-catcher, a multi-platform AIS (Automatic Identification System) receiver. Prior to version 0.64, this vulnerability allows an attacker to trigger a massive Heap Buffer Overflow by sending a malformed MQTT packet with a manipulated Topic Length field. The impact ranges from immediate Denial of Service (DoS) to severe Memory Corruption that can potentially be leveraged for Remote Code Execution (RCE) when AIS-catcher is used as a library.
Critical Impact
An attacker can exploit this integer underflow vulnerability via network-based malformed MQTT packets to cause system crashes or potentially achieve remote code execution in library deployments.
Affected Products
- AIS-catcher versions prior to 0.64
- Systems using AIS-catcher as an embedded library
- Network-exposed AIS-catcher deployments with MQTT functionality enabled
Discovery Timeline
- 2025-11-29 - CVE-2025-66217 published to NVD
- 2025-12-23 - Last updated in NVD database
Technical Details for CVE-2025-66217
Vulnerability Analysis
The vulnerability resides in the MQTT parsing logic of AIS-catcher where insufficient validation of the Topic Length field allows an integer underflow condition. When a malformed MQTT packet contains a manipulated Topic Length value, the arithmetic operation results in an underflow, causing the application to allocate or access an incorrect amount of memory. This triggers a massive Heap Buffer Overflow condition.
The attack is network-accessible, requiring no authentication or user interaction, making it particularly dangerous for internet-facing deployments. When AIS-catcher is deployed as a standalone application, exploitation results in immediate application crash (DoS). However, when integrated as a library within other applications, the memory corruption can potentially be weaponized for Remote Code Execution.
Root Cause
The root cause is classified under CWE-191 (Integer Underflow) and CWE-122 (Heap-based Buffer Overflow). The MQTT parsing code failed to properly validate the Topic Length field before performing arithmetic operations, allowing attackers to supply values that cause integer underflow. This underflow then propagates to memory allocation or buffer access operations, resulting in heap-based buffer overflow conditions.
Attack Vector
The attack vector is network-based, requiring the attacker to send specially crafted MQTT packets to the vulnerable AIS-catcher instance. The attacker manipulates the Topic Length field in the MQTT packet header to trigger the integer underflow:
- Attacker crafts a malformed MQTT packet with an invalid Topic Length value
- The vulnerable parsing logic performs arithmetic on this value without proper bounds checking
- Integer underflow occurs, resulting in an extremely large computed value
- This value is used in subsequent memory operations, causing heap buffer overflow
- Depending on deployment context, this leads to DoS or potential RCE
// Security patch in Source/Marine/Message.cpp
// Source: https://github.com/jvde-github/AIS-catcher/commit/e0f7242eee659909adc11a4c561c3f7011bdefe7
if (getLength() > 0)
ss << ",\"mmsi\":" << mmsi() << ",\"type\":" << type();
- ss << ",\"nmea\":[\"" << NMEA[0] << "\"";
-
- for (int j = 1; j < NMEA.size(); j++)
- ss << ",\"" << NMEA[j] << "\"";
+ ss << ",\"nmea\":[";
+ const char *delim = "";
+ for (const auto &n : NMEA)
+ {
+ ss << delim << "\"" << n << "\"";
+ delim = ",";
+ }
ss << "]}";
return ss.str();
The patch addresses the vulnerability by eliminating the assumption that NMEA array contains at least one element (which could lead to underflow when j = 1 and NMEA.size() = 0), replacing it with a safer range-based iteration pattern that handles empty arrays gracefully.
Detection Methods for CVE-2025-66217
Indicators of Compromise
- Unexpected crashes or segmentation faults in AIS-catcher processes
- Anomalous MQTT traffic patterns with malformed packet headers
- Memory corruption errors in system logs related to AIS-catcher
- Unusual heap allocation failures or out-of-memory conditions in otherwise stable deployments
Detection Strategies
- Monitor AIS-catcher process stability and restart frequency for signs of exploitation attempts
- Implement network traffic analysis to detect malformed MQTT packets with suspicious Topic Length values
- Deploy memory-safe runtime protections (ASLR, stack canaries) to detect exploitation attempts
- Enable comprehensive logging on MQTT-enabled services to capture parsing errors
Monitoring Recommendations
- Establish baseline behavior for AIS-catcher deployments and alert on deviations
- Configure intrusion detection systems to monitor for MQTT protocol anomalies
- Implement process monitoring to detect unexpected AIS-catcher terminations
- Review system logs regularly for memory-related errors and segmentation faults
How to Mitigate CVE-2025-66217
Immediate Actions Required
- Upgrade AIS-catcher to version 0.64 or later immediately
- If upgrade is not immediately possible, consider disabling MQTT functionality temporarily
- Restrict network access to AIS-catcher deployments using firewall rules
- Implement network segmentation to limit exposure of vulnerable instances
Patch Information
The vulnerability has been patched in AIS-catcher version 0.64. The security fix is available via the GitHub commit e0f7242. Organizations should review the GitHub Security Advisory GHSA-93mj-c8q3-69rg for complete details on the vulnerability and remediation steps.
Workarounds
- Disable MQTT functionality in AIS-catcher configuration if not required for operations
- Deploy network-level filtering to restrict MQTT traffic to trusted sources only
- Run AIS-catcher in an isolated container or sandbox environment to limit RCE impact
- Implement application-level firewalls to validate MQTT packet structure before processing
# Configuration example - Restrict network access to AIS-catcher
# Add firewall rules to limit MQTT access to trusted hosts only
iptables -A INPUT -p tcp --dport 1883 -s <trusted_ip> -j ACCEPT
iptables -A INPUT -p tcp --dport 1883 -j DROP
# Alternatively, disable MQTT if not needed in your deployment
# Consult AIS-catcher documentation for configuration options
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
