CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-3935: Eclipse Mosquito: Double free vulnerability

6.0 CVSS

Description

In Eclipse Mosquito, versions from 2.0.0 through 2.0.18, if a Mosquitto broker is configured to create an outgoing bridge connection, and that bridge connection has an incoming topic configured that makes use of topic remapping, then if the remote connection sends a crafted PUBLISH packet to the broker a double free will occur with a subsequent crash of the broker.

Classification

CVE ID: CVE-2024-3935

CVSS Base Severity: MEDIUM

CVSS Base Score: 6.0

Affected Products

Vendor: Eclipse Foundation

Product: mosquitto

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 22.77% (scored less or equal to compared to others)

EPSS Date: 2025-02-07 (when was this score calculated)

References

https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/197
https://mosquitto.org/blog/2024/10/version-2-0-19-released/
https://github.com/eclipse-mosquitto/mosquitto/commit/ae7a804dadac8f2aaedb24336df8496a9680fda9

Timeline

2025-01-10 00:30:45 UTC
CVE

Eclipse Mosquito: Double free vulnerability