FlashMQ Assertion Failure Vulnerability in PublishCopyFactory QoS Handling

An assertion failure vulnerability has been identified in FlashMQ version 1.14.0. The issue arises in the PublishCopyFactory::getNewPublish function when the Quality of Service (QoS) value of the publish object exceeds 0. This assertion failure can lead to a crash in debug builds of the MQTT broker, as it violates an internal design invariant related to QoS demotion logic. The crash occurs when a retained message with a non-zero topic alias is combined with a persistent session, although release builds do not crash, the logic flaw could cause silent inconsistencies or undefined behavior in production environments.

Impact

Exploitation of this vulnerability causes a crash of the FlashMQ broker in debug builds, disrupting service. However, the underlying logic flaw in session state management could lead to silent errors or undefined behavior in production, despite the absence of a crash.

Reproduction

The vulnerability can be reproduced by sending a retained MQTT message with a non-zero topic alias to a FlashMQ broker with a persistent session. This can be done using a Python script that connects to the broker and sends the crafted message, causing the broker to assert and crash.

Remediation

Users are advised to upgrade to FlashMQ version 1.15.1 or later, where this vulnerability has been addressed.