CVE-2023-28366

Name of the Vulnerable Software and Affected Versions Eclipse Mosquitto versions 1.3.2 through 2.x before 2.0.16

Description The issue is related to a memory leak in the broker of Eclipse Mosquitto. This memory leak can be exploited remotely when a client sends many QoS 2 messages with duplicate message IDs and fails to respond to PUBREC commands. The cause of this issue is the mishandling of EAGAIN from the libc send function. This can lead to a denial of service.

Recommendations For Eclipse Mosquitto versions 1.3.2 through 2.x before 2.0.16, update to version 2.0.16 or later to resolve the memory leak issue. As a temporary workaround, consider restricting the handling of QoS 2 messages with duplicate message IDs to minimize the risk of exploitation. Additionally, ensure that clients properly respond to PUBREC commands to prevent abuse.