Volerion logoVolerion
Volerion logoVolerion

NanoMQ MQTT Broker Denial-of-Service Vulnerability via NULL Pointer Dereference in HTTP Authentication

Vulnerability

A denial-of-service vulnerability has been identified in NanoMQ MQTT Broker version 0.24.6. When HTTP authentication is enabled, and a client connects without providing a username or password, the broker crashes. This occurs because the authentication configuration uses placeholders for username and password, leading to a NULL pointer dereference. The vulnerability can be exploited remotely, causing a segmentation fault and crashing the broker process.

Impact

Exploitation of this vulnerability leads to a process crash, causing a denial-of-service condition on the MQTT broker.

Reproduction

To reproduce this vulnerability, first enable HTTP authentication in the NanoMQ configuration, using placeholders for the username and password. Then, connect to the broker using an MQTT client without providing authentication credentials. The broker will crash, demonstrating the vulnerability.

Remediation

Users can upgrade to NanoMQ version 0.24.7, where this vulnerability has been fixed.

Added: Mar 30, 2026, 9:32 PM
Updated: Mar 30, 2026, 9:32 PM

Vulnerability Rating

Custom Algorithm
spread
0.3
impact
2.5
exploitability
9.1
remediation
7.7
relevance
4.9
threat
6.4
urgency
2.9
incentive
8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.