Eclipse Paho Go MQTT Library Integer Truncation Vulnerability Leading to Protocol Smuggling

A vulnerability exists in the Eclipse Paho Go MQTT v3.1 library, specifically in versions through 1.5.0. The issue stems from improper handling of UTF-8 encoded strings that exceed 65,535 bytes. When such strings are processed, they may be incorrectly encoded, potentially causing leakage of MQTT topic data into the message body of PUBLISH packets. This vulnerability arises because the library converts string lengths from int64/int32 to int16 without proper overflow checks, allowing data to be written beyond the indicated length and corrupting the packet structure.

Impact

Exploitation of this vulnerability can lead to protocol smuggling, where data intended for one field (such as the topic) inadvertently spills into another field (like the message body). This could cause issues for MQTT message recipients that do not properly validate incoming data.

Reproduction

To reproduce this vulnerability, publish a message using the Paho Go MQTT library version 1.5.0 or earlier, with a topic that exceeds 65,535 bytes. The resulting PUBLISH packet will be corrupted, as the message body will include part of the topic data, violating the MQTT protocol's data handling requirements.

Remediation

Users can upgrade to Eclipse Paho Go MQTT library version 1.5.1 or later, which includes a fix for this vulnerability by truncating overly long strings before they can cause encoding issues.