Kai Hudalla

**Name of the Vulnerable Software and Affected Versions** Eclipse Hono versions 1.3.0 through 1.4.0 **Description** The AMQP protocol adapter in Eclipse Hono does not verify the size of AMQP messages received from devices. A device may send messages that are bigger than the max-message-size indicated during link establishment, which could be exploited by a hand crafted AMQP 1.0 client to send a message of unlimited size to the adapter, eventually causing the adapter to fail with an out of memory exception. **Recommendations** For Eclipse Hono versions 1.3.0 and 1.4.0, consider implementing size verification for AMQP messages received from devices to prevent potential out of memory exceptions. As a temporary workaround, restrict the maximum allowed message size to prevent unlimited size messages from being sent to the adapter. At the moment, there is no information about a newer version that contains a fix for this vulnerability.