Severity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionGitHub Advisory
CocoaMQTT is a MQTT 5.0 client library for iOS and macOS written in Swift. Prior to version 2.2.2, a vulnerability exists in the packet parsing logic of CocoaMQTT that allows an attacker (or a compromised/malicious MQTT broker) to remotely crash the host iOS/macOS/tvOS application. If an attacker publishes the 4-byte malformed payload to a shared topic with the RETAIN flag set to true, the MQTT broker will persist the payload. Any time a vulnerable client connects and subscribes to that topic, the broker will automatically push the malformed packet. The app will instantly crash in the background before the user can even interact with it. This effectively "bricks" the mobile application (a persistent DoS) until the retained message is manually wiped from the broker database. This issue has been patched in version 2.2.2.
AnalysisAI
CocoaMQTT library versions prior to 2.2.2 allow remote denial of service when parsing malformed MQTT packets from a broker, causing immediate application crashes on iOS, macOS, and tvOS devices. An attacker or compromised MQTT broker can publish a 4-byte malformed payload with the RETAIN flag to persist it indefinitely, ensuring every vulnerable client that subscribes receives the crash-inducing packet, effectively bricking the application until manual intervention on the broker. The vulnerability requires an authenticated user context (PR:L in CVSS vector) but impacts application availability with high severity; patch version 2.2.2 is available.
Technical ContextAI
CocoaMQTT is a Swift-based MQTT 5.0 protocol client library for Apple platforms. The vulnerability resides in packet parsing logic (CWE-617: Reachable Assertion) that fails to validate malformed packet structures before processing them. MQTT brokers with message retention enabled (RETAIN flag) can persist specially crafted 4-byte payloads that trigger an assertion failure or unhandled exception during packet deserialization. When a client connects and subscribes to a topic containing such a retained message, the broker automatically pushes the malformed packet to the client, where the parsing code crashes before any application-level handling occurs. This is a state-persistence attack vector unique to MQTT's retention feature, allowing one-time malicious publication to affect all future subscribers.
RemediationAI
Upgrade CocoaMQTT to version 2.2.2 or later, which patches the packet parsing vulnerability. Users managing Swift projects should update their package dependencies via Swift Package Manager by specifying version 2.2.2 or higher in Package.swift or Xcode project settings. The fix is available in the official release at https://github.com/emqx/CocoaMQTT/releases/tag/2.2.2. For applications already deployed, coordinate a software update to affected iOS/macOS/tvOS clients. Brokers should also review retention policies and access controls to prevent unauthorized message publication. No workarounds are available short of removing the library or disabling MQTT subscriptions.
Same weakness CWE-617 – Reachable Assertion
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18235
GHSA-r3fr-7m74-q7g2