Medium severity6.5NVD Advisory· Published Dec 28, 2017· Updated May 13, 2026

CVE-2017-10910

Description

MQTT.js 2.x.x prior to 2.15.0 issue in handling PUBLISH tickets may lead to an attacker causing a denial-of-service condition.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
mqttnpm	>= 2.0.0, < 2.15.0	2.15.0

Affected products

MQTT.js./MQTT.jsv5
Range: 2.x.x prior to 2.15.0

Patches

403ba53b838f

Do not stack overflow if a TCP frame contains too many PUBLISH

https://github.com/mqttjs/MQTT.jsMatteo CollinaDec 9, 2017via ghsa

commit

2 files changed · +58 −3

lib/client.js+7 −3 modified

@@ -249,12 +249,16 @@ MqttClient.prototype._setupStream = function () {
     packets.push(packet)
   })
 
-  function process () {
+  function nextTickWork () {
+    process.nextTick(work)
+  }
+
+  function work () {
     var packet = packets.shift()
     var done = completeParse
 
     if (packet) {
-      that._handlePacket(packet, process)
+      that._handlePacket(packet, nextTickWork)
     } else {
       completeParse = null
       done()
@@ -264,7 +268,7 @@ MqttClient.prototype._setupStream = function () {
   writable._write = function (buf, enc, done) {
     completeParse = done
     parser.parse(buf)
-    process()
+    work()
   }
 
   this.stream.pipe(writable)

test/client.js+51 −0 modified

@@ -7,6 +7,9 @@ var path = require('path')
 var abstractClientTests = require('./abstract_client')
 var net = require('net')
 var eos = require('end-of-stream')
+var mqttPacket = require('mqtt-packet')
+var Buffer = require('safe-buffer').Buffer
+var Duplex = require('readable-stream').Duplex
 var Connection = require('mqtt-connection')
 var Server = require('./server')
 var port = 9876
@@ -148,6 +151,54 @@ describe('MqttClient', function () {
         })
       })
     })
+
+    it('should not go overflow if the TCP frame contains a lot of PUBLISH packets', function (done) {
+      var parser = mqttPacket.parser()
+      var count = 0
+      var max = 1000
+      var duplex = new Duplex({
+        read: function (n) {},
+        write: function (chunk, enc, cb) {
+          parser.parse(chunk)
+          cb() // nothing to do
+        }
+      })
+      var client = new mqtt.MqttClient(function () {
+        return duplex
+      }, {})
+
+      client.on('message', function (t, p, packet) {
+        if (++count === max) {
+          done()
+        }
+      })
+
+      parser.on('packet', function (packet) {
+        var packets = []
+
+        if (packet.cmd === 'connect') {
+          duplex.push(mqttPacket.generate({
+            cmd: 'connack',
+            sessionPresent: false,
+            returnCode: 0
+          }))
+
+          for (var i = 0; i < max; i++) {
+            packets.push(mqttPacket.generate({
+              cmd: 'publish',
+              topic: Buffer.from('hello'),
+              payload: Buffer.from('world'),
+              retain: false,
+              dup: false,
+              messageId: i + 1,
+              qos: 1
+            }))
+          }
+
+          duplex.push(Buffer.concat(packets))
+        }
+      })
+    })
   })
 
   describe('reconnecting', function () {

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/mqttjs/MQTT.js/commit/403ba53b838f2d319a0c0505a045fe00239e9923nvdPatchThird Party AdvisoryWEB
github.com/advisories/GHSA-h9mj-fghc-664wghsaADVISORY
github.com/mqttjs/MQTT.js/releases/tag/v2.15.0nvdRelease NotesThird Party AdvisoryWEB
jvn.jp/en/jp/JVN45494523/index.htmlnvdThird Party AdvisoryVDB EntryWEB
nvd.nist.gov/vuln/detail/CVE-2017-10910ghsaADVISORY
github.com/nodejs/security-wg/blob/master/vuln/npm/357.jsonghsaWEB
www.npmjs.com/advisories/555ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.423
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000