FlashMQ Memory Leak Vulnerability in QoS Message Handling
Vulnerability
A memory leak vulnerability has been identified in FlashMQ versions prior to 1.23.2. This issue allows any authenticated user to create sessions that collect Quality of Service (QoS) messages. When these messages are not delivered to a client, they remain queued and are not released when the session eventually expires. This flaw can lead to increased memory usage over time, as the leaked memory is not reclaimed.
Impact
Exploitation of this vulnerability causes memory leaks, with leaked memory not being released until the session is destroyed. This can lead to increased memory consumption and potential degradation of server performance.
Reproduction
The vulnerability can be reproduced by sending eight MQTT Publish packets from a Python script to a FlashMQ broker version 1.23.1. The broker will then leak memory equivalent to the size of the undelivered QoS messages, as they are not released upon session expiration.
Remediation
Users can upgrade to FlashMQ version 1.23.2 or later, where this vulnerability has been fixed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.