PT-2025-48097 · Nanomq+1 · Nanomq+1
Published
2025-11-25
·
Updated
2025-11-26
·
CVE-2025-65953
CVSS v4.0
6.0
Medium
| Vector | AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
NanoMQ versions prior to 0.22.5
Description
A Heap-Use-After-Free (UAF) vulnerability exists in the TCP transport component of NanoMQ, stemming from improper resource management and premature cleanup of message and pipe structures. This occurs under specific conditions involving malformed MQTTV5 retain message traffic. The vulnerability is located in
src/sp/transport/mqtt/broker tcp.c and relies on the NanoNNG library.Recommendations
Update to version 0.22.5 or later.
Exploit
Fix
Use After Free
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Nanomq
Nanonng