CVE-2025-68699

Name of the Vulnerable Software and Affected Versions NanoMQ versions prior to 0.24.7

Description NanoMQ MQTT Broker (NanoMQ) has an issue related to protocol parsing and forwarding when handling shared subscriptions ($share/). A malformed SUBSCRIBE topic, such as $share/ab (missing the second /), is not properly validated during subscription. This invalid Topic Filter is stored, and when a PUBLISH message matches this subscription, the nmq pipe send start v4/v5 function attempts to parse the topic using strchr(). If strchr() returns NULL, the code increments a pointer to an invalid address. This invalid pointer is then passed to the topic filtern() function, which causes a crash due to a strlen() call, resulting in a SIGSEGV. The crash is reliably triggered remotely. The vulnerable code involves the parsing of shared subscription topics and the use of pointer arithmetic without proper NULL checks.

Recommendations Upgrade to NanoMQ version 0.24.7 or later to address this issue.