{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25627", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-04T05:15:41.789Z", "datePublished": "2026-03-30T20:11:08.586Z", "dateUpdated": "2026-03-31T19:09:34.784Z"}, "containers": {"cna": {"title": "nanomq: OOB Read / Crash (DoS) via Malformed MQTT Remaining Length over WebSocket", "problemTypes": [{"descriptions": [{"cweId": "CWE-125", "lang": "en", "description": "CWE-125: Out-of-bounds Read", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/nanomq/nanomq/security/advisories/GHSA-w4rh-v3h2-j29x", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nanomq/nanomq/security/advisories/GHSA-w4rh-v3h2-j29x"}, {"name": "https://github.com/nanomq/NanoNNG/pull/1405", "tags": ["x_refsource_MISC"], "url": "https://github.com/nanomq/NanoNNG/pull/1405"}, {"name": "https://github.com/nanomq/NanoNNG/commit/e80b30bad6d855593a68d18f2785bfaca6faf09e", "tags": ["x_refsource_MISC"], "url": "https://github.com/nanomq/NanoNNG/commit/e80b30bad6d855593a68d18f2785bfaca6faf09e"}, {"name": "https://github.com/nanomq/nanomq/releases/tag/0.24.8", "tags": ["x_refsource_MISC"], "url": "https://github.com/nanomq/nanomq/releases/tag/0.24.8"}], "affected": [{"vendor": "nanomq", "product": "nanomq", "versions": [{"version": "< 0.24.8", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-30T20:11:08.586Z"}, "descriptions": [{"lang": "en", "value": "NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Prior to version 0.24.8, NanoMQ\u2019s MQTT-over-WebSocket transport can be crashed by sending an MQTT packet with a deliberately large Remaining Length in the fixed header while providing a much shorter actual payload. The code path copies Remaining Length bytes without verifying that the current receive buffer contains that many bytes, resulting in an out-of-bounds read (ASAN reports OOB / crash). This is remotely triggerable over the WebSocket listener. This issue has been patched in version 0.24.8."}], "source": {"advisory": "GHSA-w4rh-v3h2-j29x", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/nanomq/nanomq/security/advisories/GHSA-w4rh-v3h2-j29x", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-31T18:38:44.968276Z", "id": "CVE-2026-25627", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T19:09:34.784Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25627", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-31T18:38:44.968276Z"}}}], "references": [{"url": "https://github.com/nanomq/nanomq/security/advisories/GHSA-w4rh-v3h2-j29x", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T19:07:04.865Z"}}], "cna": {"title": "nanomq: OOB Read / Crash (DoS) via Malformed MQTT Remaining Length over WebSocket", "source": {"advisory": "GHSA-w4rh-v3h2-j29x", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "nanomq", "product": "nanomq", "versions": [{"status": "affected", "version": "< 0.24.8"}]}], "references": [{"url": "https://github.com/nanomq/nanomq/security/advisories/GHSA-w4rh-v3h2-j29x", "name": "https://github.com/nanomq/nanomq/security/advisories/GHSA-w4rh-v3h2-j29x", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/nanomq/NanoNNG/pull/1405", "name": "https://github.com/nanomq/NanoNNG/pull/1405", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/nanomq/NanoNNG/commit/e80b30bad6d855593a68d18f2785bfaca6faf09e", "name": "https://github.com/nanomq/NanoNNG/commit/e80b30bad6d855593a68d18f2785bfaca6faf09e", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/nanomq/nanomq/releases/tag/0.24.8", "name": "https://github.com/nanomq/nanomq/releases/tag/0.24.8", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Prior to version 0.24.8, NanoMQ\u2019s MQTT-over-WebSocket transport can be crashed by sending an MQTT packet with a deliberately large Remaining Length in the fixed header while providing a much shorter actual payload. The code path copies Remaining Length bytes without verifying that the current receive buffer contains that many bytes, resulting in an out-of-bounds read (ASAN reports OOB / crash). This is remotely triggerable over the WebSocket listener. This issue has been patched in version 0.24.8."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-125", "description": "CWE-125: Out-of-bounds Read"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-30T20:11:08.586Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25627", "state": "PUBLISHED", "dateUpdated": "2026-03-31T19:09:34.784Z", "dateReserved": "2026-02-04T05:15:41.789Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-30T20:11:08.586Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Prior to version 0.24.8, NanoMQ\u2019s MQTT-over-WebSocket transport can be crashed by sending an MQTT packet with a deliberately large Remaining Length in the fixed header while providing a much shorter actual payload. The code path copies Remaining Length bytes without verifying that the current receive buffer contains that many bytes, resulting in an out-of-bounds read (ASAN reports OOB / crash). This is remotely triggerable over the WebSocket listener. This issue has been patched in version 0.24.8."}, {"lang": "es", "value": "NanoMQ MQTT Broker (NanoMQ) es una plataforma de mensajer\u00eda de borde integral. Antes de la versi\u00f3n 0.24.8, el transporte MQTT-over-WebSocket de NanoMQ puede colapsar al enviar un paquete MQTT con una longitud restante (Remaining Length) deliberadamente grande en la cabecera fija mientras se proporciona una carga \u00fatil real mucho m\u00e1s corta. La ruta del c\u00f3digo copia bytes de la longitud restante sin verificar que el b\u00fafer de recepci\u00f3n actual contenga esa cantidad de bytes, lo que resulta en una lectura fuera de l\u00edmites (ASAN informa OOB / fallo). Esto puede ser activado remotamente a trav\u00e9s del oyente de WebSocket. Este problema ha sido parcheado en la versi\u00f3n 0.24.8."}], "id": "CVE-2026-25627", "lastModified": "2026-04-01T14:24:21.833", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-30T21:17:07.750", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/nanomq/NanoNNG/commit/e80b30bad6d855593a68d18f2785bfaca6faf09e"}, {"source": "security-advisories@github.com", "url": "https://github.com/nanomq/NanoNNG/pull/1405"}, {"source": "security-advisories@github.com", "url": "https://github.com/nanomq/nanomq/releases/tag/0.24.8"}, {"source": "security-advisories@github.com", "url": "https://github.com/nanomq/nanomq/security/advisories/GHSA-w4rh-v3h2-j29x"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/nanomq/nanomq/security/advisories/GHSA-w4rh-v3h2-j29x"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.24.8)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "nanomq", "source": "cna", "vendor": "nanomq"}, "product": "nanomq", "vendor": "nanomq"}], "analysis": {"en": {"generated_at": "2026-03-31T05:41:33.692493+00:00", "value": {"mitigation_remediation": ["Upgrade NanoMQ to version 0.24.8 or later", "If an update cannot be applied immediately, restrict external access to the MQTT\u2011over\u2011WebSocket listener using a firewall or access control list", "Monitor broker logs for anomalous packets and packet sizes for signs of malicious activity"], "summary": {"action": "Immediate Patch", "impact": "Out\u2011of\u2011bounds read causing a broker crash and denial of service"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in NanoMQ version 0.24.7 and earlier. Versions 0.24.8 and later include the fix. Any deployment of NanoMQ that exposes the MQTT\u2011over\u2011WebSocket listener is susceptible.", "description_and_impact": "A malformed MQTT packet with an excessively large Remaining Length field is accepted by NanoMQ\u2019s WebSocket transport. The broker copies the requested amount of bytes from the receive buffer without ensuring the buffer actually contains that many bytes, triggering an out\u2011of\u2011bounds read that can result in a crash. This is identified as CWE\u2011125 and delivers a denial\u2011of\u2011service effect.", "risk_and_exploitability": "The CVSS base score is 6.5, indicating a moderate severity. Exploitation requires remote access to the WebSocket port; no authentication is required, so an attacker can send the crafted packet from anywhere that can reach the broker. EPSS data is not available and the vulnerability is not listed in CISA\u2019s KEV catalogue, but the combination of a moderate CVSS score and open\u2011to\u2011attack vector raises the risk to a significant level."}}}}, "created": "2026-03-31T20:00:01.098618+00:00", "updated": "2026-03-31T20:40:14.509828+00:00", "vendors": ["nanomq", "nanomq$PRODUCT$nanomq"]}