Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2025-68699 is a moderate severity vulnerability in the NanoMQ MQTT Broker version 0.24.6 related to improper validation and parsing of shared MQTT subscriptions that use the "$share/" prefix.'}, {'type': 'paragraph', 'content': 'The issue occurs because NanoMQ does not strictly validate malformed shared subscription topics during the subscription stage. For example, a malformed topic like "$share/ab" (which is missing the second \'/\') is accepted and stored in the subscription table without error.'}, {'type': 'paragraph', 'content': 'Later, when a PUBLISH message matches this malformed subscription, the broker attempts to parse the "$share/" prefix again using strchr() calls to find \'/\' characters. The code increments pointers returned by strchr() without checking if strchr() returned NULL.'}, {'type': 'paragraph', 'content': "If the second strchr() returns NULL (because the malformed topic lacks the second '/'), incrementing the NULL pointer results in an invalid pointer (e.g., 0x1). This invalid pointer is then passed to a function that calls strlen() on it, causing a segmentation fault (SIGSEGV) and crashing the broker."}, {'type': 'paragraph', 'content': 'This crash is stable, remotely triggerable without authentication or privileges, and requires only user interaction to subscribe with the malformed topic and then publish a matching message.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause a denial of service (DoS) condition by crashing the NanoMQ broker when it processes a malformed shared subscription topic.

An attacker can remotely trigger this crash without any privileges by creating a malformed subscription and then publishing a message that matches it.

The impact is limited to availability, as there is no confidentiality or integrity loss associated with this vulnerability.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to reproduce the crash condition using standard MQTT client tools against a NanoMQ broker version 0.24.6. Specifically, subscribing with a malformed shared subscription topic such as "$share/ab" (missing the second \'/\') and then publishing a matching message will trigger the crash.'}, {'type': 'paragraph', 'content': 'Commands to detect the vulnerability include using mosquitto_sub to subscribe with the malformed topic and mosquitto_pub to publish a message that matches this subscription, causing the broker to crash.'}, {'type': 'list_item', 'content': 'mosquitto_sub -t "$share/ab" -h <broker_address>'}, {'type': 'list_item', 'content': 'mosquitto_pub -t "ab" -m "test message" -h <broker_address>'}, {'type': 'paragraph', 'content': 'If the broker crashes (SIGSEGV) upon publishing, the vulnerability is present.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The immediate mitigation step is to upgrade NanoMQ to version 0.24.7 or later, where the vulnerability has been patched by enforcing strict validation of shared subscription topics.'}, {'type': 'paragraph', 'content': 'If upgrading is not immediately possible, avoid allowing subscriptions with malformed shared subscription topics that lack the required second \'/\' character after the "$share/" prefix.'}, {'type': 'paragraph', 'content': 'Additionally, monitor and restrict MQTT client subscriptions to ensure they comply with the correct topic format to prevent malformed subscriptions from being accepted.'}] [2]

Useful 0 Not Useful 0