GCVE - cpe:2.3:a:eclipse_foundation:mosquitto:*:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:eclipse_foundation:mosquitto:*:*:*:*:*:*:*:*

part: a version: * update: *

Vendor	Eclipse Foundation (`2c315c48-0111-5572-bbde-cc70cfafb2e9`)
Product	Mosquitto (`f2cff67a-9e55-5deb-9299-c81c8a0f6b5f`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from gcve-enriched-dumps CVE data

PURL mappings

PURL	Source	Last updated
No PURL mappings for this CPE yet.

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2024-8376`	vulnerable	2026-06-03 14:58:18.299317	Memory leak In Eclipse Mosquitto up to version 2.0.18a, an attacker can achieve memory leaking, segmentation fault or heap-use-after-free by sending specific sequences of "CONNECT", "DISCONNECT", "SUBSCRIBE", "UNSUBSCRIBE" and "PUBLISH" packets. Published: 2024-10-11T15:18:54.142Z Updated: 2024-10-31T09:15:30.149Z Open on db.gcve.eu Reference links https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/216 https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/217 https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/218 https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/227 https://gitlab.eclipse.org/security/cve-assignement/-/issues/26	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2024-3935`	vulnerable	2026-06-03 14:56:32.468276	Eclipse Mosquito: Double free vulnerability In Eclipse Mosquito, versions from 2.0.0 through 2.0.18, if a Mosquitto broker is configured to create an outgoing bridge connection, and that bridge connection has an incoming topic configured that makes use of topic remapping, then if the remote connection sends a crafted PUBLISH packet to the broker a double free will occur with a subsequent crash of the broker. Published: 2024-10-30T11:45:23.506Z Updated: 2025-11-03T20:38:15.605Z Open on db.gcve.eu Reference links https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/197 https://mosquitto.org/blog/2024/10/version-2-0-19-released/ https://github.com/eclipse-mosquitto/mosquitto/commit/ae7a804dadac8f2aaedb24336df8496a9680fda9	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2024-10525`	vulnerable	2026-06-03 14:54:11.959001	Eclipse Mosquito: Heap Buffer Overflow in my_subscribe_callback In Eclipse Mosquitto, from version 1.3.2 through 2.0.18, if a malicious broker sends a crafted SUBACK packet with no reason codes, a client using libmosquitto may make out of bounds memory access when acting in its on_subscribe callback. This affects the mosquitto_sub and mosquitto_rr clients. Published: 2024-10-30T11:41:08.946Z Updated: 2025-11-03T20:36:24.107Z Open on db.gcve.eu Reference links https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/190 https://mosquitto.org/blog/2024/10/version-2-0-19-released/ https://github.com/eclipse-mosquitto/mosquitto/commit/8ab20b4ba4204fdcdec78cb4d9f03c944a6e0e1c	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2017-7650`	vulnerable	2026-06-03 14:37:37.666054	Details available In Mosquitto before 1.4.12, pattern based ACLs can be bypassed by clients that set their username/client id to '#' or '+'. This allows locally or remotely connected clients to access MQTT topics that they do have the rights to. The same issue may be present in third party authentication/access control plugins for Mosquitto. Published: 2017-09-11T16:00:00.000Z Updated: 2024-09-16T20:43:01.173Z Open on db.gcve.eu Reference links http://mosquitto.org/2017/05/security-advisory-cve-2017-7650/ http://www.securityfocus.com/bid/98741 http://www.debian.org/security/2017/dsa-3865 https://bugs.eclipse.org/bugs/show_bug.cgi?id=516765	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.