CVE-2016-10523
Description
MQTT packet parser before 3.4.6 and 4.0.x before 4.0.5 crashes on crafted packets, enabling low-bandwidth DoS.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
MQTT packet parser before 3.4.6 and 4.0.x before 4.0.5 crashes on crafted packets, enabling low-bandwidth DoS.
Vulnerability
The MQTT packet parser (mqtt-packet) before version 3.4.6 and versions 4.0.x before 4.0.5 mishandles specially crafted MQTT packets. An out-of-bounds buffer read occurs when the parser does not validate the protocol name length field, leading to an attempt to read beyond the allocated buffer. This bug was reported in the Mosca broker [2] and fixed in the underlying mqtt-packet library [3]. The issue affects all applications using the vulnerable versions of mqtt-packet, including the Mosca MQTT broker [1][4].
Exploitation
An attacker can send a specifically crafted MQTT packet over a network connection. For example, connecting to a standard Mosca broker on port 1883 with a TLS connection (i.e., mqtts://localhost:1883) triggers the crash [2]. The attacker does not need authentication or any special privileges; a single malformed packet with an invalid protocol name length field is sufficient to cause the crash [3]. The attack requires very little bandwidth, making it easy to execute repeatedly [1].
Impact
Successful exploitation causes the MQTT application (e.g., Mosca) to crash due to an uncaught RangeError from the parser [2][3]. This results in a denial of service (DoS) condition, rendering the broker unavailable to legitimate clients. The crash is complete and does not provide any code execution or information disclosure; only availability is affected [1][4].
Mitigation
Users should upgrade the mqtt-packet npm package to version 3.4.6 or later, or 4.0.5 or later [4]. The fix was merged in pull request #8 [3] and is included in those releases. For the Mosca broker specifically, update to a version that depends on the patched mqtt-packet. The Mosca repository is archived and no longer maintained [2]; users should migrate to a supported MQTT broker. No workarounds are documented.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mqtt-packetnpm | < 3.4.6 | 3.4.6 |
mqtt-packetnpm | >= 4.0.0, < 4.0.5 | 4.0.5 |
Affected products
2- HackerOne/mqtt-packet node modulev5Range: <3.4.6 || > 4.0.0 <4.0.5
Patches
2f7efa3bf2221Updated travis to run again.
1 file changed · +1 −1
.travis.yml+1 −1 modified@@ -9,6 +9,6 @@ node_js: - 0.12 - 0.10 script: - node run ci + npm run ci before_install: - node -v | grep v0.8 && npm install npm@1.4.28 -g || echo "no need to update NPM"
b4c5da64c30aMerge 6896f3a2809321abe01e7fcd70908d7da30ab139 into 6970e76241bcd6dc9efbe5f6a4f1b206ae85799c
Vulnerability mechanics
Root cause
"The MQTT parser does not properly validate packet lengths and protocol identifiers, leading to out-of-bounds buffer access."
Attack vector
An attacker can send a specifically crafted MQTT packet, such as a TLS connection attempt to a plain MQTT port, to trigger the vulnerability [ref_id=1]. The malformed packet causes the parser to attempt to read beyond the allocated buffer length, leading to a crash [ref_id=2]. This can be achieved with very little bandwidth, making a denial-of-service attack feasible.
Affected code
The vulnerability lies within the `mqtt-packet` library, specifically in the `Parser._parseConnect` function. This function is responsible for parsing CONNECT packets and does not adequately check for malformed packet structures or buffer boundaries, leading to crashes when processing invalid data [ref_id=2].
What the fix does
The patch addresses the vulnerability by adding checks for the plausibility of string lengths within MQTT packets and ensuring the buffer has sufficient remaining length before parsing [ref_id=2]. Specifically, the parser now validates the protocol identifier string length and prevents out-of-range exceptions that could occur when processing malformed packets, thus mitigating the denial-of-service condition.
Preconditions
- inputA specifically crafted MQTT packet that exploits parsing logic flaws.
- networkThe target application must be running an affected version of MQTT before 3.4.6 or 4.0.x before 4.0.5.
Reproduction
require('mqtt').connect('mqtts://localhost:1883');
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-g3r2-65gc-qpqcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-10523ghsaADVISORY
- github.com/mcollina/mosca/issues/393ghsax_refsource_MISCWEB
- github.com/mqttjs/mqtt-packet/pull/8ghsax_refsource_MISCWEB
- nodesecurity.io/advisories/75mitrex_refsource_MISC
- www.npmjs.com/advisories/75ghsaWEB
News mentions
0No linked articles in our index yet.