logo

Database

Improper resource allocation In mqtt

Description

Denial of Service in mqtt Affected versions of mqtt do not properly handle PUBLISH packets returning from the server, leading to a Denial of Service condition.

The vulnerability is completely mitigated if the only connected servers are trusted, guaranteed not to be under the control of a malicious actor.

Proof of Concept

The following is a demonstration of how to generate the malicious packet sequence, but does not include information on handling the initial network connections and MQTT overhead.

var mqttp = require('mqtt-packet');
var packets = [];
for(var i=0; i<=1000;i++){
    packets.push(
        mqttp.generate({
            cmd:'publish',
            topic:Buffer.from('hello'),
            payload:Buffer.from('world'),...

Recommendation

Update to version 2.15.0 or later.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2017-109102. NVD-2017-109103. OSV-2017-109104. GHSA-h9mj-fghc-664w5. GCVE-2017-10910

References

1. https://github.com/mqttjs/MQTT.js/commit/403ba53b838f2d319a0c0505a045fe00239e99232. https://github.com/mqttjs/MQTT.js/releases/tag/v2.15.03. https://github.com/nodejs/security-wg/blob/master/vuln/npm/357.json4. https://jvn.jp/en/jp/JVN45494523/index.html5. https://www.npmjs.com/advisories/555

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.