CVE-2023-2905

CVE-2023-2905: Cesanta Mongoose MQTT Message Parsing Heap Overflow

Vendor Cesanta
Product Mongoose
Weakness CWE-122
Published August 9, 2023
Last update October 10, 2024

CVSS base score

What the vulnerability does

01Description

Due to a failure in validating the length of a provided MQTT_CMD_PUBLISH parsed message with a variable length header, Cesanta Mongoose, an embeddable web server, version 7.10 is susceptible to a heap-based buffer overflow vulnerability in the default configuration. Version 7.9 and prior does not appear to be vulnerable. This issue is resolved in version 7.11.

Key dates

02Disclosure timeline

August 9, 2023 CVE published
October 10, 2024 Record updated