CVE-2025-66217
BaseFortify
Publication date: 2025-11-29
Last updated on: 2025-12-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| aiscatcher | ais-catcher | to 0.64 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-122 | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). |
| CWE-191 | The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an integer underflow in the MQTT parsing logic of AIS-catcher before version 0.64. An attacker can send a malformed MQTT packet with a manipulated Topic Length field, causing a massive Heap Buffer Overflow. This leads to an immediate Denial of Service (DoS) and, if AIS-catcher is used as a library, severe Memory Corruption that can be exploited for Remote Code Execution (RCE).
How can this vulnerability impact me? :
The vulnerability can cause an immediate Denial of Service (DoS) by crashing the AIS-catcher application. Additionally, if AIS-catcher is used as a library, it can lead to severe Memory Corruption that attackers may exploit to execute arbitrary code remotely, potentially compromising the affected system.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade AIS-catcher to version 0.64 or later, where the integer underflow vulnerability in the MQTT parsing logic has been patched.