Nanomq
Monthly
Null pointer dereference in NanoMQ MQTT Broker 0.24.8 and earlier causes a denial-of-service condition via the QUIC transport layer. The function quic_stream_recv fails to return after completing an asynchronous I/O operation with an error when a substream is in reopen state, proceeding to lock c->mtx against a null substream pointer. An unauthenticated remote attacker can crash the broker process, disrupting edge messaging services. No public exploit identified at time of analysis beyond proof-of-concept code reflected in the CVSS 4.0 E:P metric; not listed in CISA KEV.
Type confusion in NanoMQ MQTT Broker's QUIC dialer close path allows a local attacker with high complexity to cause the broker process to hang or crash. Versions prior to 0.24.14 store a pointer as `nni_quic_conn*` during dialing but later misread that same memory location as `ex_quic_conn*` during dialer close, producing invalid object interpretation across mismatched struct layouts. No public exploit code or active exploitation has been identified at time of analysis; the vendor-released fix is available in version 0.24.14.
Remote unauthenticated denial-of-service in NanoMQ MQTT Broker (versions 0.24.10 and below) crashes the broker process via a NULL pointer dereference triggered by high-concurrency MQTT reconnect traffic. The flaw occurs during session resumption for persistent-session clients (clean_start=0), where the NanoNNG transport layer's pipe_peer() function dereferences cpipe->subinfol without verifying that the new pipe's subinfol pointer is also non-NULL - a pointer that can be freed mid-race. No public exploit code exists and the vulnerability is not listed in CISA KEV; however, CVSS AV:N/PR:N confirms remote unauthenticated triggering, and the fix has been released in version 0.24.11.
Heap buffer overflow in NanoMQ MQTT Broker's REST API allows remote unauthenticated attackers to trigger denial of service via crafted HTTP requests. The off-by-one error in uri_param_parse function (CWE-122) affects all versions prior to 0.24.11. CVSS 7.7 (High) with network attack vector, low complexity, and no authentication required. Proof-of-concept exploit exists (CVSS E:P), though no CISA KEV listing indicates limited observed exploitation. Vendor patch available in version 0.24.11 with upstream fix committed (GitHub 69a97b3).
Out-of-bounds read in NanoMQ MQTT Broker webhook processing allows remote attackers with high privileges to trigger denial of service by sending malformed JSON payloads. Prior to version 0.24.10, the hook_work_cb() function in webhook_inproc.c passes unsanitized binary message buffers directly to cJSON_Parse(), which reads past buffer boundaries when payloads lack null terminators. The vulnerability is reliably exploitable when JSON payload length is a power-of-two >=1024 bytes, bypassing nng's allocation padding protection. No public exploit code or active exploitation has been identified.
Remote denial of service in NanoMQ MQTT Broker 0.24.6 allows unauthenticated remote attackers to crash the broker by connecting without credentials when HTTP authentication is enabled with username/password placeholders, triggering a null pointer dereference in the auth_http.c module. The vulnerability requires high attack complexity (user interaction via specific MQTT CONNECT configuration) but results in broker unavailability. Vendor-released patch version 0.24.7 addresses the issue.
NanoMQ MQTT Broker versions prior to 0.24.8 can be remotely crashed via MQTT-over-WebSocket by sending a packet with a maliciously inflated Remaining Length field in the fixed header while providing a shorter actual payload, triggering an out-of-bounds read that causes denial of service. Authenticated attackers can exploit this condition over the WebSocket listener with low attack complexity. Vendor-released patch available in version 0.24.8.
NanoMQ MQTT Broker versions 0.24.6 and earlier are vulnerable to an out-of-bounds read in the MQTT v5 Variable Byte Integer parser, which lacks proper bounds validation when processing 5-byte varints. Remote unauthenticated attackers can trigger a denial of service by sending malformed MQTT packets that crash the broker. No patch is currently available for this vulnerability.
NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. [CVSS 5.3 MEDIUM]
NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. In version 0.24.6, NanoMQ has a protocol parsing / forwarding inconsistency when handling shared subscriptions ($share/). [CVSS 6.5 MEDIUM]
An issue in nanomq v0.22.7 allows attackers to cause a Denial of Service (DoS) via a crafted request. The number of data packets received in the recv-q queue of the Nanomq process continues to increase, causing the nanomq broker to fall into a deadlock and be unable to provide normal services. [CVSS 7.5 HIGH]
NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Versions prior to 0.24.5 have a Heap-Use-After-Free (UAF) vulnerability within the MQTT bridge client component (implemented via the underlying NanoNNG library). [CVSS 4.9 MEDIUM]
NanoMQ v0.22.10 was discovered to contain a memory leak which allows attackers to cause a Denial of Service (DoS) via a crafted PUBLISH message.
NanoMQ v0.22.10 was discovered to contain a heap overflow which allows attackers to cause a Denial of Service (DoS) via a crafted CONNECT message.
CVE-2024-42646 is a segmentation fault vulnerability in NanoMQ v0.21.10 that allows unauthenticated remote attackers to trigger a denial of service condition by sending specially crafted messages. This is a network-accessible DoS vulnerability with high availability impact (CVSS 7.5) that affects message broker deployments. The vulnerability requires no authentication or user interaction, making it easily exploitable in production environments.
Null pointer dereference in NanoMQ MQTT Broker 0.24.8 and earlier causes a denial-of-service condition via the QUIC transport layer. The function quic_stream_recv fails to return after completing an asynchronous I/O operation with an error when a substream is in reopen state, proceeding to lock c->mtx against a null substream pointer. An unauthenticated remote attacker can crash the broker process, disrupting edge messaging services. No public exploit identified at time of analysis beyond proof-of-concept code reflected in the CVSS 4.0 E:P metric; not listed in CISA KEV.
Type confusion in NanoMQ MQTT Broker's QUIC dialer close path allows a local attacker with high complexity to cause the broker process to hang or crash. Versions prior to 0.24.14 store a pointer as `nni_quic_conn*` during dialing but later misread that same memory location as `ex_quic_conn*` during dialer close, producing invalid object interpretation across mismatched struct layouts. No public exploit code or active exploitation has been identified at time of analysis; the vendor-released fix is available in version 0.24.14.
Remote unauthenticated denial-of-service in NanoMQ MQTT Broker (versions 0.24.10 and below) crashes the broker process via a NULL pointer dereference triggered by high-concurrency MQTT reconnect traffic. The flaw occurs during session resumption for persistent-session clients (clean_start=0), where the NanoNNG transport layer's pipe_peer() function dereferences cpipe->subinfol without verifying that the new pipe's subinfol pointer is also non-NULL - a pointer that can be freed mid-race. No public exploit code exists and the vulnerability is not listed in CISA KEV; however, CVSS AV:N/PR:N confirms remote unauthenticated triggering, and the fix has been released in version 0.24.11.
Heap buffer overflow in NanoMQ MQTT Broker's REST API allows remote unauthenticated attackers to trigger denial of service via crafted HTTP requests. The off-by-one error in uri_param_parse function (CWE-122) affects all versions prior to 0.24.11. CVSS 7.7 (High) with network attack vector, low complexity, and no authentication required. Proof-of-concept exploit exists (CVSS E:P), though no CISA KEV listing indicates limited observed exploitation. Vendor patch available in version 0.24.11 with upstream fix committed (GitHub 69a97b3).
Out-of-bounds read in NanoMQ MQTT Broker webhook processing allows remote attackers with high privileges to trigger denial of service by sending malformed JSON payloads. Prior to version 0.24.10, the hook_work_cb() function in webhook_inproc.c passes unsanitized binary message buffers directly to cJSON_Parse(), which reads past buffer boundaries when payloads lack null terminators. The vulnerability is reliably exploitable when JSON payload length is a power-of-two >=1024 bytes, bypassing nng's allocation padding protection. No public exploit code or active exploitation has been identified.
Remote denial of service in NanoMQ MQTT Broker 0.24.6 allows unauthenticated remote attackers to crash the broker by connecting without credentials when HTTP authentication is enabled with username/password placeholders, triggering a null pointer dereference in the auth_http.c module. The vulnerability requires high attack complexity (user interaction via specific MQTT CONNECT configuration) but results in broker unavailability. Vendor-released patch version 0.24.7 addresses the issue.
NanoMQ MQTT Broker versions prior to 0.24.8 can be remotely crashed via MQTT-over-WebSocket by sending a packet with a maliciously inflated Remaining Length field in the fixed header while providing a shorter actual payload, triggering an out-of-bounds read that causes denial of service. Authenticated attackers can exploit this condition over the WebSocket listener with low attack complexity. Vendor-released patch available in version 0.24.8.
NanoMQ MQTT Broker versions 0.24.6 and earlier are vulnerable to an out-of-bounds read in the MQTT v5 Variable Byte Integer parser, which lacks proper bounds validation when processing 5-byte varints. Remote unauthenticated attackers can trigger a denial of service by sending malformed MQTT packets that crash the broker. No patch is currently available for this vulnerability.
NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. [CVSS 5.3 MEDIUM]
NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. In version 0.24.6, NanoMQ has a protocol parsing / forwarding inconsistency when handling shared subscriptions ($share/). [CVSS 6.5 MEDIUM]
An issue in nanomq v0.22.7 allows attackers to cause a Denial of Service (DoS) via a crafted request. The number of data packets received in the recv-q queue of the Nanomq process continues to increase, causing the nanomq broker to fall into a deadlock and be unable to provide normal services. [CVSS 7.5 HIGH]
NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Versions prior to 0.24.5 have a Heap-Use-After-Free (UAF) vulnerability within the MQTT bridge client component (implemented via the underlying NanoNNG library). [CVSS 4.9 MEDIUM]
NanoMQ v0.22.10 was discovered to contain a memory leak which allows attackers to cause a Denial of Service (DoS) via a crafted PUBLISH message.
NanoMQ v0.22.10 was discovered to contain a heap overflow which allows attackers to cause a Denial of Service (DoS) via a crafted CONNECT message.
CVE-2024-42646 is a segmentation fault vulnerability in NanoMQ v0.21.10 that allows unauthenticated remote attackers to trigger a denial of service condition by sending specially crafted messages. This is a network-accessible DoS vulnerability with high availability impact (CVSS 7.5) that affects message broker deployments. The vulnerability requires no authentication or user interaction, making it easily exploitable in production environments.