CVE-2025-66023

Name of the Vulnerable Software and Affected Versions NanoMQ versions prior to 0.24.5

Description NanoMQ MQTT Broker, an Edge Messaging Platform, contains a Heap-Use-After-Free (UAF) issue in its MQTT bridge client component, which is implemented using the NanoNNG library. This issue occurs when NanoMQ connects to a remote MQTT broker. A malicious remote broker can trigger a crash (Denial of Service) or potential memory corruption by sending a malformed packet sequence immediately after connection establishment. The vulnerability is addressed by enforcing stricter protocol adherence in the MQTT client SDK, ensuring that a CONNACK packet is always the first packet processed upon connection.

Recommendations Update to version 0.24.5 or later. As a workaround, validate the remote broker before bridging.