CVE-2021-34431

Name of the Vulnerable Software and Affected Versions Eclipse Mosquitto versions 1.6 through 2.0.10

Description The issue is related to incorrect handling of a CONNECT packet without will topic, will message when the will flag and will property are present. This can be exploited by a remote attacker to cause a denial of service. Specifically, if an authenticated client that had connected with MQTT v5 sends a crafted CONNECT message to the broker, a memory leak would occur, which could be used to provide a DoS attack against the broker.

Recommendations For Eclipse Mosquitto versions 1.6 through 2.0.10, consider updating to a version that fixes the memory leak issue to prevent potential DoS attacks. As a temporary workaround, restrict access to the MQTT v5 CONNECT message to minimize the risk of exploitation. Avoid using crafted CONNECT messages that could trigger the memory leak until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.