Reporting security vulnerabilities

If you think you have found a security vulnerability in Mosquitto, please follow the steps on Eclipse Security page to report it.

Past vulnerabilities

Listed with most recent first. Further information on security related issues can be found in the security category.

  • August 2023: [CVE-2023-0809]: Fix excessive memory being allocated based on malicious initial packets that are not CONNECT packets. Affecting versions 1.5.0 to 2.0.15. Fixed in 2.0.16.
  • August 2023: [CVE-2023-3592]: Fix memory leak when clients send v5 CONNECT packets with a will message that contains invalid property types. Affecting version 1.6.0 to 2.0.15 Fixed in 2.0.16.
  • August 2023: [CVE-2023-28366]: Clients sending unacknowledged QoS 2 messages with duplicate message ids cause a memory leak. Affecting versions 1.3.2 to 2.0.15 inclusive, fixed in 2.0.16.
  • August 2022: Deleting the anonymous group in the dynamic security plugin could lead to a crash. Affecting versions 2.0.0 to 2.0.14 inclusive, fixed in 2.0.15.
  • August 2021: CVE-2021-34434 Affecting versions 2.0.0 to 2.0.11 inclusive, fixed in 2.0.12.
  • April 2021: CVE-2021-28166 Affecting versions 2.0.0 to 2.0.9 inclusive, fixed in 2.0.10.
  • December 2020: Running mosquitto_passwd with the following arguments only mosquitto_passwd -b password_file username password would cause the username to be used as the password. Affecting versions 2.0.0 to 2.0.2 inclusive, fixed in 2.0.3.
  • September 2019: CVE-2019-11779. Affecting versions 1.5 to 1.6.5 inclusive, fixed in 1.6.6 and 1.5.9. More details at version-166-released.
  • September 2019: CVE-2019-11778. Affecting versions 1.6 to 1.6.4 inclusive, fixed in 1.6.5. More details at version-166-released.
  • April 2019: No CVE assigned. Affecting versions 1.6 and 1.6.1, fixed in 1.6.2. More details at version-162-released.
  • December 2018: CVE-2018-20145. Affecting versions 1.5 to 1.5.4 inclusive, fixed in 1.5.5.. More details at version-155-released.
  • November 2018: No CVE assigned. Affecting versions 1.4 to 1.5.3 inclusive, fixed in 1.5.4. More details at version-154-released.
  • September 2018: CVE-2018-12543 affecting versions 1.5 to 1.5.2 inclusive, fixed in 1.5.3.
  • April 2018: CVE-2017-7655 affecting versions 1.0 to 1.4.15 inclusive, fixed in 1.5.
  • April 2018: CVE-2017-7654 affecting versions 1.0 to 1.4.15 inclusive, fixed in 1.5. [security-advisory-cve-2017-7653-cve-2017-7654].
  • April 2018: CVE-2017-7653 affecting versions 1.0 to 1.4.15 inclusive, fixed in 1.5.
  • February 2018: CVE-2017-7651 affecting versions 0.15 to 1.4.14 inclusive, fixed in 1.4.15. More details at security-advisory-cve-2017-7651-cve-2017-7652.
  • February 2018: CVE-2017-7652 affecting versions 1.0 to 1.4.14 inclusive, fixed in 1.4.15. More details at security-advisory-cve-2017-7651-cve-2017-7652.
  • June 2017: CVE-2017-9868 affecting versions 0.15 to 1.4.12 inclusive, fixed in 1.4.13. More details at security-advisory-cve-2017-9868.
  • May 2017: CVE-2017-7650 affecting versions 0.15 to 1.4.11 inclusive, fixed in 1.4.12. More details at security-advisory-cve-2017-7650.