CVE-2024-3935

Name of the Vulnerable Software and Affected Versions Eclipse Mosquitto versions 2.0.0 through 2.0.18

Description The issue is related to a double free error in Eclipse Mosquitto. When a Mosquitto broker is configured to create an outgoing bridge connection with an incoming topic that uses topic remapping, a remote attacker can send a crafted PUBLISH packet to the broker, causing a double free error and subsequent crash of the broker. This can allow a remote attacker to cause a denial of service.

Recommendations For Eclipse Mosquitto versions 2.0.0 through 2.0.18, as a temporary workaround, consider disabling the topic remapping feature for incoming bridge connections until a patch is available. Restrict access to the Mosquitto broker to minimize the risk of exploitation. Avoid using the PUBLISH packet in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.