CVE-2024-10525
- Source
- https://cve.org/CVERecord?id=CVE-2024-10525
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-10525.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2024-10525
- Downstream
- Published
- 2024-10-30T12:15:02.787Z
- Modified
- 2026-02-14T07:55:15.401029Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
In Eclipse Mosquitto, from version 1.3.2 through 2.0.18, if a malicious broker sends a crafted SUBACK packet with no reason codes, a client using libmosquitto may make out of bounds memory access when acting in its onsubscribe callback. This affects the mosquittosub and mosquitto_rr clients.
- References
-
- https://lists.debian.org/debian-lts-announce/2025/02/msg00022.html
- https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/190
- https://mosquitto.org/blog/2024/10/version-2-0-19-released/
- https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/190
- https://github.com/eclipse-mosquitto/mosquitto/commit/8ab20b4ba4204fdcdec78cb4d9f03c944a6e0e1c
- https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/190
Affected packages
Git / github.com/eclipse-mosquitto/mosquitto
Affected ranges
- Type
- GIT
- Repo
- https://github.com/eclipse-mosquitto/mosquitto
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
v1.*
v1.4
v1.4.1
v1.4.10
v1.4.11
v1.4.12
v1.4.13
v1.4.14
v1.4.15
v1.4.2
v1.4.3
v1.4.4
v1.4.5
v1.4.6
v1.4.7
v1.4.8
v1.4.9
v1.5
v1.5.1
v1.5.2
v1.5.3
v1.5.4
v1.5.5
v1.5.7
v1.5.8
v1.6
v1.6.1
v1.6.10
v1.6.11
v1.6.12
v1.6.2
v1.6.3
v1.6.4
v1.6.5
v1.6.6
v1.6.7
v1.6.8
v1.6.9
v2.*
v2.0.0
v2.0.1
v2.0.10
v2.0.11
v2.0.12
v2.0.13
v2.0.14
v2.0.15
v2.0.16
v2.0.17
v2.0.18
v2.0.2
v2.0.3
v2.0.4
v2.0.5
v2.0.6
v2.0.7
v2.0.8
v2.0.9
Database specific
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-10525.json"
vanir_signatures
[
{
"signature_type": "Function",
"signature_version": "v1",
"source": "https://github.com/eclipse-mosquitto/mosquitto/commit/8ab20b4ba4204fdcdec78cb4d9f03c944a6e0e1c",
"digest": {
"function_hash": "29036111489348541762894021766668069100",
"length": 1918.0
},
"id": "CVE-2024-10525-d05b89c8",
"deprecated": false,
"target": {
"file": "lib/handle_suback.c",
"function": "handle__suback"
}
},
{
"signature_type": "Line",
"signature_version": "v1",
"source": "https://github.com/eclipse-mosquitto/mosquitto/commit/8ab20b4ba4204fdcdec78cb4d9f03c944a6e0e1c",
"digest": {
"line_hashes": [
"94950051260452402365347931505757235218",
"96581849340855976114804582782750664304",
"5849565670273732554841845849192978354",
"173389902800579440755348116221827973798"
],
"threshold": 0.9
},
"id": "CVE-2024-10525-fcb71ac0",
"deprecated": false,
"target": {
"file": "lib/handle_suback.c"
}
}
]