Ocean

**Name of the Vulnerable Software and Affected Versions** Losant Arduino MQTT Client versions prior to V2.7 **Description** This issue allows remote attackers to execute arbitrary code on vulnerable installations. User interaction is not required to exploit this issue. The specific flaw exists within the parsing of MQTT PUBLISH packets, resulting from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this issue to execute code in the context of the current process. **Recommendations** For versions prior to V2.7, update to version V2.7 or later to resolve the issue. As a temporary workaround, consider restricting access to the MQTT PUBLISH packet parsing functionality until a patch is available. Avoid using the Losant Arduino MQTT Client with untrusted MQTT connections until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** npm mosca version 2.8.1 **Description** This issue allows remote attackers to deny service on vulnerable installations. Authentication is not required to exploit this issue. The specific flaw exists within the processing of topics. A crafted regular expression can cause the broker to crash, allowing an attacker to deny access to the target system. **Recommendations** For npm mosca version 2.8.1, update to a version that fixes the regular expression parsing issue to prevent denial-of-service attacks. As a temporary workaround, consider restricting access to the topic processing functionality until a patch is available.