CVE-2019-5432
Description
A malformed MQTT Subscribe packet causes a crash in mqtt-packet decoder, affecting multiple versions before 6.1.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A malformed MQTT Subscribe packet causes a crash in mqtt-packet decoder, affecting multiple versions before 6.1.3.
Root
Cause
The vulnerability resides in the mqtt-packet module's decode function for MQTT Subscribe packets. When the module receives a specifically malformed Subscribe packet, it triggers a crash, likely due to improper handling of malformed data or a null pointer dereference. This affects all versions before 3.5.1, 4.0.0 through 4.1.3, 5.0.0 through 5.6.1, and 6.0.0 through 6.1.2 [1].
Exploitation
An attacker can exploit this by sending a single crafted MQTT Subscribe packet to a broker using a vulnerable version of the mqtt-packet module. No authentication or special network position is required beyond the ability to send MQTT packets to the broker. The crash occurs during packet decoding, before any authorization checks [1].
Impact
Successful exploitation results in a denial of service (DoS) as the broker process crashes, disrupting MQTT messaging services. Since the crash occurs at the decoding stage, it can be triggered before any authentication or authorization checks are performed, widening the attack surface [1].
Mitigation
Users should update the mqtt-packet module to version 3.5.1, 4.1.4, 5.6.2, or 6.1.3 or later, as these versions contain the fix for this vulnerability. No workarounds are available; the only remediation is to apply the patch provided by the maintainers [1].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mqtt-packetnpm | < 3.5.1 | 3.5.1 |
mqtt-packetnpm | >= 4.0.0, < 4.1.3 | 4.1.3 |
mqtt-packetnpm | >= 5.0.0, < 5.6.1 | 5.6.1 |
mqtt-packetnpm | >= 6.0.0, < 6.1.2 | 6.1.2 |
Affected products
2- mqtt-packet/mqtt-packetdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-wv67-9jq7-8r69ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-5432ghsaADVISORY
- hackerone.com/reports/541354ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.