ClickCease Debian Security Update Fixed 5 Mosquitto Vulnerabilities

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

Debian Security Update Fixed 5 Mosquitto Vulnerabilities

Rohan Timalsina

October 13, 2023 - TuxCare expert team

The Debian team has recently released a security update addressing five vulnerabilities discovered in Mosquitto, which is an open-source MQTT-compatible message broker. These vulnerabilities have the potential to cause denial of service when exploited.

Here, we will discuss the CVEs, severity score, causes, and risks of the mosquitto vulnerabilities.


Five Mosquitto Vulnerabilities Patched


CVSS 3.x Score: 5.3 Medium

When using the dynamic security plugin in Eclipse Mosquitto, if a client loses the ability to subscribe to a topic when a durable client is offline, any existing subscriptions for that client are not revoked.


CVSS 3.x Score: Not Analyzed by NVD

It was found that excessive memory is allocated in Mosquitto before 2.0.16 based on malicious initial packets that are not CONNECT packets.


CVSS 3.x Score: 5.8 Medium

A memory leak issue was discovered in Mosquitto when clients send v5 CONNECT packets with a will message that contains invalid property types.


CVSS 3.x Score: 7.5 High

The broker in Mosquitto contained a memory leak vulnerability that can be exploited remotely when a client sends multiple Q0S 2 messages with duplicate message IDs and fails to respond to PUBREC commands. The issue arises due to the mishandling of EAGAIN errors from the libc send function.


CVSS 3.x Score: 7.5 High

A flaw was identified when an MQTT v5 client connected with many user-property properties and caused excessive CPU usage, resulting in performance loss and potential DoS attacks.

In the old stable distribution (bullseye), these issues have been resolved in version 2.0.11-1+deb11u1, and in the stable distribution (bookworm), these issues have been addressed in version 2.0.11-1.2+deb12u1. It is highly recommended to upgrade your mosquitto packages to fix the mosquitto vulnerabilities and prevent the associated security risk.


The sources for this article can be found on Debian Security Advisory.

Debian Security Update Fixed 5 Mosquitto Vulnerabilities
Article Name
Debian Security Update Fixed 5 Mosquitto Vulnerabilities
Discover the latest Debian security update addressing five Mosquitto vulnerabilities that could cause memory issues or denial of service.
Publisher Name
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Become a TuxCare Guest Writer

Get started




Linux & Open Source

Subscribe to
our newsletter