Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-3935

In Eclipse Mosquito, versions from 2.0.0 through 2.0.18, if a Mosquitto broker is configured to create an outgoing bridge connection, and that bridge connection has an incoming topic configured that makes use of topic remapping, then if the remote connection sends a crafted PUBLISH packet to the broker a double free will occur with a subsequent crash of the broker.

Published

2024-10-30T12:15:03.090

Last Modified

2025-11-03T21:16:16.427

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 6.5 (MEDIUM)

Weaknesses

Type: Secondary
CWE-415
Type: Primary
CWE-415

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	eclipse	mosquitto	< 2.0.19	Yes

References

https://github.com/eclipse-mosquitto/mosquitto/commit/ae7a804dadac8f2aaedb24336df8496a9680fda9 Patch ([email protected])
https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/197 Exploit, Issue Tracking, Vendor Advisory ([email protected])
https://mosquitto.org/blog/2024/10/version-2-0-19-released/ Release Notes ([email protected])
https://lists.debian.org/debian-lts-announce/2025/02/msg00022.html (af854a3a-2127-422b-91ae-364da2661108)