Fluid Attacks Database

Description

Improper Input Validation and Buffer Over-read in mqtt-packet A specifically malformed MQTT Subscribe packet crashes MQTT Brokers using the mqtt-packet module versions < 3.5.1, 4.0.0 - 4.1.3, 5.0.0 - 5.6.1, 6.0.0 - 6.1.2 for decoding.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	node-mqtt-packet	>=0 <6.0.0-2	6.0.0-2
debian 12	node-mqtt-packet	>=0 <6.0.0-2	6.0.0-2
debian 13	node-mqtt-packet	>=0 <6.0.0-2	6.0.0-2
debian 14	node-mqtt-packet	>=0 <6.0.0-2	6.0.0-2
npm	mqtt-packet	>=0 <3.5.1 \|\| >=4.0.0 <4.1.3 \|\| >=5.0.0 <5.6.1 \|\| >=6.0.0 <6.1.2	3.5.1, 4.1.3, 5.6.1, 6.1.2

Aliases

1. CVE-2019-54322. NVD-2019-54323. OSV-DEBIAN-2019-54324. OSV-2019-54325. GCVE-2019-54326. SECURITY-TRACKER-CVE-2019-5432

References

1. https://hackerone.com/reports/541354

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.