NanoMQ MQTT Broker Heap-Use-After-Free Vulnerability in TCP Transport Component

A Heap-Use-After-Free vulnerability has been identified in the TCP transport component of NanoMQ MQTT Broker, prior to version 0.22.5. This vulnerability arises from improper resource management and premature cleanup of message and pipe structures, particularly under certain conditions involving malformed MQTTV5 retain message traffic. The issue is rooted in the broker's reliance on the NanoNNG library, specifically within the file 'src/sp/transport/mqtt/broker_tcp.c'. An unauthenticated remote attacker can exploit this vulnerability by sending specially crafted packets, leading to a segmentation fault in the broker's process. This exploitation causes the broker to crash, creating a Denial-of-Service condition for all connected clients.

Impact

Exploitation of this vulnerability causes the NanoMQ broker to crash, leading to a Denial-of-Service condition for all clients connected to the broker.

Remediation

Users can upgrade to NanoMQ version 0.22.5 or later to address this vulnerability. As a workaround, ensure that the Client SDK correctly encodes MQTT V5 messages.