CVE-2025-10543

Name of the Vulnerable Software and Affected Versions Eclipse Paho Go MQTT v3.1 library (paho.mqtt.golang) versions 1.5.0 and earlier

Description The Eclipse Paho Go MQTT v3.1 library is susceptible to an issue where UTF-8 encoded strings exceeding 65535 bytes in length may be incorrectly encoded. This occurs because the data length is converted to an int16 without overflow checks, potentially leading to corrupt packets or data leakage—for example, a portion of an MQTT topic might be included in the message body of a PUBLISH packet. The issue arises from converting the data length from an int64 or int32 to an int16 without proper validation.

Recommendations Versions prior to 1.5.0 should be updated.