CVE-2025-68699

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-68699

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-68699.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-68699

Aliases

GHSA-qv5f-c6v2-2f8h

Published

2026-02-04T19:25:12.716Z

Modified

2026-03-13T03:49:25.830482Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVSS Calculator

Summary

NanoMQ $share/ Subscription Validation and Forwarding Parsing Inconsistency: NULL Pointer Increment Causes Crash

Details

NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. In version 0.24.6, NanoMQ has a protocol parsing / forwarding inconsistency when handling shared subscriptions ($share/). A malformed SUBSCRIBE topic such as $share/ab (missing the second /) is not strictly validated during the subscription stage, so the invalid Topic Filter is stored into the subscription table. Later, when any PUBLISH matches this subscription, the broker send path (nmqpipesendstartv4/v5) performs a second $share/ parsing using strchr() and increments the returned pointer without NULL checks. If the second strchr() returns NULL, subtopic++ turns the pointer into an invalid address (e.g. 0x1). This invalid pointer is then passed into topicfiltern(), which triggers strlen() and crashes with SIGSEGV. The crash is stable and remotely triggerable. This issue has been patched in version 0.24.7.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-476"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68699.json"
}

References

Affected packages

Git / github.com/emqx/nanomq

Affected ranges

Type

GIT

Repo

https://github.com/emqx/nanomq

Events

Introduced

Last affected

dc3a3136cd82d5c005b8cd26a65fe53beaaf0eb9

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "0.24.6"
        }
    ]
}

Affected versions

0.*

0.0.1

0.0.2

0.0.3

0.1.0

0.10.1

0.10.5

0.10.8

0.11.0

0.11.2

0.11.3

0.11.5

0.11.8

0.11.82

0.12.0

0.12.1

0.12.2

0.12.5

0.13.0

0.13.6

0.13.8

0.14.0

0.14.1

0.14.5

0.14.8

0.15.0

0.15.1

0.15.2

0.15.3

0.15.5

0.16.0

0.16.2

0.16.3

0.16.5

0.17.2

0.17.5

0.17.8

0.18.1

0.18.2

0.19.0

0.19.1

0.19.5

0.2.0

0.2.1

0.2.2

0.2.5

0.20.0

0.20.5

0.20.6

0.20.8

0.21

0.21.1

0.21.10

0.21.2

0.21.5

0.21.6

0.21.7

0.21.8

0.21.9

0.22.0

0.22.1

0.22.10

0.22.2

0.22.3

0.22.6

0.22.7

0.22.8

0.23.0

0.23.1

0.23.10

0.23.2

0.23.3

0.23.4

0.23.5

0.23.6

0.23.7

0.23.7-11

0.23.8

0.23.9

0.24.0

0.24.1

0.24.2

0.24.3

0.24.3-5

0.24.4

0.24.5

0.24.6

0.3.0

0.3.2

0.3.3

0.3.4

0.3.5

0.3.8

0.4.0

0.4.1

0.4.2

0.4.3

0.4.5

0.4.8

0.5.0

0.5.2

0.5.5

0.5.8

0.5.9

0.6.0

0.6.2

0.6.3

0.6.4

0.6.7rc

0.6.8

0.7.0

0.7.2

0.7.3

0.7.4

0.7.4rc

0.7.5

0.7.5rc

0.7.8

0.7.9

0.8.0

0.8.3

0.8.5

0.8.6log

0.9.0

0.9.2

0.9.5

0.9.7

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-68699.json"

Git / github.com/nanomq/nanomq