CVE-2025-62413
BaseFortify
Publication date: 2025-10-16
Last updated on: 2025-10-21
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| emqx | mqttx | 1.12.0 |
| emqx | mqttx | 1.12.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Cross-Site Scripting (XSS) issue in MQTTX version 1.12.0. It occurs because the application improperly handles the rendering of MQTT message payloads, allowing malicious HTML or JavaScript code within messages to be executed in the application's user interface. This can let attackers run arbitrary scripts, potentially accessing sensitive information or triggering unintended actions.
How can this vulnerability impact me? :
If exploited, this vulnerability can allow attackers to execute arbitrary scripts within the MQTTX application UI. This could lead to unauthorized access to MQTT connection credentials or cause unintended actions to be performed. The risk is higher when MQTTX is used with brokers in untrusted or multi-tenant environments where message content is not fully controlled.
What immediate steps should I take to mitigate this vulnerability?
Upgrade MQTTX to version 1.12.1 or later, where the vulnerability is fixed. Additionally, avoid using MQTTX with brokers in untrusted or multi-tenant environments until the update is applied to reduce risk.