CVE-2025-62723
BaseFortify
Publication date: 2025-10-24
Last updated on: 2025-10-31
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| flashmq | flashmq | to 1.23.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-772 | The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in FlashMQ prior to version 1.23.2 allows any authenticated user to create sessions that collect QoS messages. These messages, when not sent to a client, are not released even after the session expires, potentially leading to resource exhaustion or denial of service. Version 1.23.2 fixes this issue.
How can this vulnerability impact me? :
This vulnerability can impact you by causing resource exhaustion on the MQTT broker/server, as QoS messages accumulate in sessions that are not properly cleaned up after expiration. This could lead to degraded performance or denial of service conditions.
What immediate steps should I take to mitigate this vulnerability?
Upgrade FlashMQ to version 1.23.2 or later, as this version fixes the issue where authenticated users can create sessions that collect QoS messages which are not released upon session expiration.