CVE-2024-10525
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-10525
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-10525.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2024-10525
- Downstream
- Published
- 2024-10-30T12:15:02.787Z
- Modified
- 2025-11-20T12:23:15.565486Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
In Eclipse Mosquitto, from version 1.3.2 through 2.0.18, if a malicious broker sends a crafted SUBACK packet with no reason codes, a client using libmosquitto may make out of bounds memory access when acting in its onsubscribe callback. This affects the mosquittosub and mosquitto_rr clients.
- References
Affected packages
Git / github.com/eclipse-mosquitto/mosquitto
Affected ranges
- Type
- GIT
- Repo
- https://github.com/eclipse-mosquitto/mosquitto
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
v1.*
v1.4
v1.4.1
v1.4.10
v1.4.11
v1.4.12
v1.4.13
v1.4.14
v1.4.15
v1.4.2
v1.4.3
v1.4.4
v1.4.5
v1.4.6
v1.4.7
v1.4.8
v1.4.9
v1.5
v1.5.1
v1.5.2
v1.5.3
v1.5.4
v1.5.5
v1.5.7
v1.5.8
v1.6
v1.6.1
v1.6.10
v1.6.11
v1.6.12
v1.6.2
v1.6.3
v1.6.4
v1.6.5
v1.6.6
v1.6.7
v1.6.8
v1.6.9
v2.*
v2.0.0
v2.0.1
v2.0.10
v2.0.11
v2.0.12
v2.0.13
v2.0.14
v2.0.15
v2.0.16
v2.0.17
v2.0.18
v2.0.2
v2.0.3
v2.0.4
v2.0.5
v2.0.6
v2.0.7
v2.0.8
v2.0.9
Database specific
vanir_signatures
[
{
"signature_type": "Function",
"deprecated": false,
"target": {
"file": "lib/handle_suback.c",
"function": "handle__suback"
},
"signature_version": "v1",
"source": "https://github.com/eclipse-mosquitto/mosquitto/commit/8ab20b4ba4204fdcdec78cb4d9f03c944a6e0e1c",
"digest": {
"length": 1918.0,
"function_hash": "29036111489348541762894021766668069100"
},
"id": "CVE-2024-10525-d05b89c8"
},
{
"signature_type": "Line",
"deprecated": false,
"target": {
"file": "lib/handle_suback.c"
},
"signature_version": "v1",
"source": "https://github.com/eclipse-mosquitto/mosquitto/commit/8ab20b4ba4204fdcdec78cb4d9f03c944a6e0e1c",
"digest": {
"line_hashes": [
"94950051260452402365347931505757235218",
"96581849340855976114804582782750664304",
"5849565670273732554841845849192978354",
"173389902800579440755348116221827973798"
],
"threshold": 0.9
},
"id": "CVE-2024-10525-fcb71ac0"
}
]
Git / github.com/eclipse/mosquitto
Database specific
vanir_signatures
[
{
"signature_type": "Function",
"deprecated": false,
"target": {
"file": "src/bridge.c",
"function": "bridge__connect_step1"
},
"signature_version": "v1",
"source": "https://github.com/eclipse/mosquitto/commit/5eb40ee3d691fb3c2dc222685e7ffcf6e6a69a79",
"digest": {
"length": 3362.0,
"function_hash": "328300029930406813138797490881719136165"
},
"id": "CVE-2024-10525-34ff54b6"
},
{
"signature_type": "Line",
"deprecated": false,
"target": {
"file": "src/bridge.c"
},
"signature_version": "v1",
"source": "https://github.com/eclipse/mosquitto/commit/5eb40ee3d691fb3c2dc222685e7ffcf6e6a69a79",
"digest": {
"line_hashes": [
"112744184638913340540592059009065155160",
"173647425033737941360091521005652606556",
"129426418706414116545542920680687959565",
"177013983548820522005115672949777997892",
"261027843247209851251118222858259184730"
],
"threshold": 0.9
},
"id": "CVE-2024-10525-8f382462"
}
]