Lowjaylinyu

**Name of the Vulnerable Software and Affected Versions** NanoMQ versions prior to 0.24.7 **Description** NanoMQ MQTT Broker is an Edge Messaging Platform. When HTTP authentication is enabled (auth.http auth) in NanoMQ version 0.24.6, a client connecting via MQTT CONNECT without username/password, and with configuration parameters using placeholders `%u` and `%P` (e.g., `username="%u"`, `password="%P"`), triggers a crash. This occurs because the `set data()` function in `auth http.c` calls `strlen()` on a NULL pointer, resulting in a SIGSEGV crash. This crash can be triggered remotely, leading to a denial of service. **Recommendations** Upgrade to NanoMQ version 0.24.7 or later.