CVE-2025-10543
Description
In Eclipse Paho Go MQTT v3.1 library (paho.mqtt.golang) versions <=1.5.0 UTF-8 encoded strings, passed into the library, may be incorrectly encoded if their length exceeds 65535 bytes. This may lead to unexpected content in packets sent to the server (for example, part of an MQTT topic may leak into the message body in a PUBLISH packet).
The issue arises because the length of the data passed in was converted from an int64/int32 (depending upon CPU) to an int16 without checks for overflows. The int16 length was then written, followed by the data (e.g. topic). This meant that when the data (e.g. topic) was over 65535 bytes then the amount of data written exceeds what the length field indicates. This could lead to a corrupt packet, or mean that the excess data leaks into another field (e.g. topic leaks into message body).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/eclipse/paho.mqtt.golangGo | < 1.5.1 | 1.5.1 |
Affected products
154- osv-coords153 versionspkg:apk/chainguard/agentbeatpkg:apk/chainguard/agentbeat-fipspkg:apk/chainguard/auditbeat-8.17pkg:apk/chainguard/auditbeat-8.17-oci-entrypointpkg:apk/chainguard/auditbeat-8.18pkg:apk/chainguard/auditbeat-8.18-oci-entrypointpkg:apk/chainguard/auditbeat-9.1pkg:apk/chainguard/auditbeat-9.1-oci-entrypointpkg:apk/chainguard/auditbeat-9.2pkg:apk/chainguard/auditbeat-9.2-oci-entrypointpkg:apk/chainguard/auditbeat-fips-8.19pkg:apk/chainguard/auditbeat-fips-9.1pkg:apk/chainguard/auditbeat-fips-9.2pkg:apk/chainguard/beats-7pkg:apk/chainguard/beats-8.17pkg:apk/chainguard/beats-8.18pkg:apk/chainguard/beats-9.1pkg:apk/chainguard/beats-9.2pkg:apk/chainguard/beats-fips-8.19pkg:apk/chainguard/beats-fips-9.1pkg:apk/chainguard/beats-fips-9.2pkg:apk/chainguard/bentopkg:apk/chainguard/bento-compatpkg:apk/chainguard/dapr-1.15pkg:apk/chainguard/dapr-daprd-1.15pkg:apk/chainguard/dapr-daprd-1.15-oci-compatpkg:apk/chainguard/dapr-daprd-fips-1.15pkg:apk/chainguard/dapr-daprd-fips-1.15-oci-compatpkg:apk/chainguard/dapr-fips-1.15pkg:apk/chainguard/dapr-injector-1.15pkg:apk/chainguard/dapr-injector-1.15-oci-compatpkg:apk/chainguard/dapr-injector-fips-1.15pkg:apk/chainguard/dapr-injector-fips-1.15-oci-compatpkg:apk/chainguard/dapr-operator-1.15pkg:apk/chainguard/dapr-operator-1.15-oci-compatpkg:apk/chainguard/dapr-operator-fips-1.15pkg:apk/chainguard/dapr-operator-fips-1.15-oci-compatpkg:apk/chainguard/dapr-placement-1.15pkg:apk/chainguard/dapr-placement-1.15-oci-compatpkg:apk/chainguard/dapr-placement-fips-1.15pkg:apk/chainguard/dapr-placement-fips-1.15-oci-compatpkg:apk/chainguard/dapr-scheduler-1.15pkg:apk/chainguard/dapr-scheduler-1.15-oci-compatpkg:apk/chainguard/dapr-scheduler-fips-1.15pkg:apk/chainguard/dapr-scheduler-fips-1.15-oci-compatpkg:apk/chainguard/dapr-sentry-1.15pkg:apk/chainguard/dapr-sentry-1.15-oci-compatpkg:apk/chainguard/dapr-sentry-fips-1.15pkg:apk/chainguard/dapr-sentry-fips-1.15-oci-compatpkg:apk/chainguard/elastic-agentpkg:apk/chainguard/elastic-agent-8.18pkg:apk/chainguard/elastic-agent-9.1pkg:apk/chainguard/elastic-agent-fips-8.18pkg:apk/chainguard/elastic-agent-fips-8.19pkg:apk/chainguard/elastic-agent-fips-9.0pkg:apk/chainguard/elastic-agent-fips-9.1pkg:apk/chainguard/falcosidekickpkg:apk/chainguard/falcosidekick-fipspkg:apk/chainguard/filebeat-8.17pkg:apk/chainguard/filebeat-8.17-oci-entrypointpkg:apk/chainguard/filebeat-8.18pkg:apk/chainguard/filebeat-8.18-oci-entrypointpkg:apk/chainguard/filebeat-9.1pkg:apk/chainguard/filebeat-9.1-oci-entrypointpkg:apk/chainguard/filebeat-9.2pkg:apk/chainguard/filebeat-9.2-oci-entrypointpkg:apk/chainguard/filebeat-fips-8.17pkg:apk/chainguard/filebeat-fips-8.18pkg:apk/chainguard/filebeat-fips-8.19pkg:apk/chainguard/filebeat-fips-9.0pkg:apk/chainguard/filebeat-fips-9.1pkg:apk/chainguard/filebeat-fips-9.2pkg:apk/chainguard/heartbeat-8.17pkg:apk/chainguard/heartbeat-8.17-oci-entrypointpkg:apk/chainguard/heartbeat-8.18pkg:apk/chainguard/heartbeat-8.18-oci-entrypointpkg:apk/chainguard/heartbeat-9.1pkg:apk/chainguard/heartbeat-9.1-oci-entrypointpkg:apk/chainguard/heartbeat-9.2pkg:apk/chainguard/heartbeat-9.2-oci-entrypointpkg:apk/chainguard/heartbeat-fips-8.19pkg:apk/chainguard/heartbeat-fips-8.19-oci-entrypointpkg:apk/chainguard/heartbeat-fips-9.1pkg:apk/chainguard/heartbeat-fips-9.1-oci-entrypointpkg:apk/chainguard/heartbeat-fips-9.2pkg:apk/chainguard/heartbeat-fips-9.2-oci-entrypointpkg:apk/chainguard/influxd-2.7pkg:apk/chainguard/influxd-2.7-bitnami-compatpkg:apk/chainguard/influxd-2.7-iamguarded-compatpkg:apk/chainguard/influxd-oci-entrypointpkg:apk/chainguard/metricbeat-8.17pkg:apk/chainguard/metricbeat-8.17-oci-entrypointpkg:apk/chainguard/metricbeat-8.18pkg:apk/chainguard/metricbeat-8.18-oci-entrypointpkg:apk/chainguard/metricbeat-9.1pkg:apk/chainguard/metricbeat-9.1-oci-entrypointpkg:apk/chainguard/metricbeat-9.2pkg:apk/chainguard/metricbeat-9.2-oci-entrypointpkg:apk/chainguard/metricbeat-fips-8.19pkg:apk/chainguard/metricbeat-fips-9.1pkg:apk/chainguard/metricbeat-fips-9.2pkg:apk/chainguard/miniopkg:apk/chainguard/minio-bitnami-2024-compatpkg:apk/chainguard/minio-bitnami-2025-compatpkg:apk/chainguard/minio-fipspkg:apk/chainguard/minio-iamguarded-2025-compatpkg:apk/chainguard/telegraf-1.33pkg:apk/chainguard/telegraf-1.34pkg:apk/chainguard/telegraf-1.35pkg:apk/chainguard/zabbix-agent2-6.0pkg:apk/chainguard/zabbix-agent2-6.0-compatpkg:apk/chainguard/zabbix-agent2-7.0pkg:apk/chainguard/zabbix-agent2-7.0-compatpkg:apk/chainguard/zabbix-agent2-7.2pkg:apk/chainguard/zabbix-agent2-7.2-compatpkg:apk/chainguard/zabbix-agent2-7.4pkg:apk/chainguard/zabbix-agent2-7.4-compatpkg:apk/chainguard/zabbix-agent2-fips-6.0pkg:apk/chainguard/zabbix-agent2-fips-6.0-compatpkg:apk/chainguard/zabbix-agent2-fips-7.0pkg:apk/chainguard/zabbix-agent2-fips-7.0-compatpkg:apk/chainguard/zabbix-agent2-fips-7.2pkg:apk/chainguard/zabbix-agent2-fips-7.2-compatpkg:apk/chainguard/zabbix-agent2-fips-7.4pkg:apk/chainguard/zabbix-agent2-fips-7.4-compatpkg:apk/wolfi/bentopkg:apk/wolfi/bento-compatpkg:apk/wolfi/dapr-1.15pkg:apk/wolfi/dapr-daprd-1.15pkg:apk/wolfi/dapr-daprd-1.15-oci-compatpkg:apk/wolfi/dapr-injector-1.15pkg:apk/wolfi/dapr-injector-1.15-oci-compatpkg:apk/wolfi/dapr-operator-1.15pkg:apk/wolfi/dapr-operator-1.15-oci-compatpkg:apk/wolfi/dapr-placement-1.15pkg:apk/wolfi/dapr-placement-1.15-oci-compatpkg:apk/wolfi/dapr-scheduler-1.15pkg:apk/wolfi/dapr-scheduler-1.15-oci-compatpkg:apk/wolfi/dapr-sentry-1.15pkg:apk/wolfi/dapr-sentry-1.15-oci-compatpkg:apk/wolfi/falcosidekickpkg:apk/wolfi/influxd-2.7pkg:apk/wolfi/influxd-2.7-bitnami-compatpkg:apk/wolfi/influxd-oci-entrypointpkg:apk/wolfi/miniopkg:apk/wolfi/minio-bitnami-2024-compatpkg:apk/wolfi/minio-bitnami-2025-compatpkg:apk/wolfi/minio-iamguarded-2025-compatpkg:apk/wolfi/telegraf-1.33pkg:apk/wolfi/telegraf-1.34pkg:apk/wolfi/telegraf-1.35pkg:golang/github.com/eclipse/paho.mqtt.golangpkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6
< 9.2.2-r2+ 152 more
- (no CPE)range: < 9.2.2-r2
- (no CPE)range: < 9.2.2-r2
- (no CPE)range: < 8.17.10-r5
- (no CPE)range: < 8.17.10-r5
- (no CPE)range: < 8.18.8-r5
- (no CPE)range: < 8.18.8-r5
- (no CPE)range: < 9.1.8-r0
- (no CPE)range: < 9.1.8-r0
- (no CPE)range: < 9.2.2-r2
- (no CPE)range: < 9.2.2-r2
- (no CPE)range: < 8.19.8-r2
- (no CPE)range: < 9.1.8-r2
- (no CPE)range: < 9.2.2-r2
- (no CPE)range: < 7.17.29-r6
- (no CPE)range: < 8.17.10-r5
- (no CPE)range: < 8.18.8-r5
- (no CPE)range: < 9.1.8-r0
- (no CPE)range: < 9.2.2-r2
- (no CPE)range: < 8.19.8-r2
- (no CPE)range: < 9.1.8-r2
- (no CPE)range: < 9.2.2-r2
- (no CPE)range: < 1.13.1-r0
- (no CPE)range: < 1.13.1-r0
- (no CPE)range: < 1.15.13-r3
- (no CPE)range: < 1.15.13-r3
- (no CPE)range: < 1.15.13-r3
- (no CPE)range: < 1.15.13-r3
- (no CPE)range: < 1.15.13-r3
- (no CPE)range: < 1.15.13-r3
- (no CPE)range: < 1.15.13-r3
- (no CPE)range: < 1.15.13-r3
- (no CPE)range: < 1.15.13-r3
- (no CPE)range: < 1.15.13-r3
- (no CPE)range: < 1.15.13-r3
- (no CPE)range: < 1.15.13-r3
- (no CPE)range: < 1.15.13-r3
- (no CPE)range: < 1.15.13-r3
- (no CPE)range: < 1.15.13-r3
- (no CPE)range: < 1.15.13-r3
- (no CPE)range: < 1.15.13-r3
- (no CPE)range: < 1.15.13-r3
- (no CPE)range: < 1.15.13-r3
- (no CPE)range: < 1.15.13-r3
- (no CPE)range: < 1.15.13-r3
- (no CPE)range: < 1.15.13-r3
- (no CPE)range: < 1.15.13-r3
- (no CPE)range: < 1.15.13-r3
- (no CPE)range: < 1.15.13-r3
- (no CPE)range: < 1.15.13-r3
- (no CPE)range: < 9.2.2-r2
- (no CPE)range: < 8.18.8-r4
- (no CPE)range: < 9.1.8-r1
- (no CPE)range: < 8.18.8-r3
- (no CPE)range: < 8.19.8-r1
- (no CPE)range: < 9.0.8-r3
- (no CPE)range: < 9.1.8-r1
- (no CPE)range: < 2.32.0-r3
- (no CPE)range: < 2.32.0-r4
- (no CPE)range: < 8.17.10-r5
- (no CPE)range: < 8.17.10-r5
- (no CPE)range: < 8.18.8-r5
- (no CPE)range: < 8.18.8-r5
- (no CPE)range: < 9.1.8-r0
- (no CPE)range: < 9.1.8-r0
- (no CPE)range: < 9.2.2-r2
- (no CPE)range: < 9.2.2-r2
- (no CPE)range: < 8.17.10-r3
- (no CPE)range: < 8.18.8-r3
- (no CPE)range: < 8.19.8-r2
- (no CPE)range: < 9.0.8-r3
- (no CPE)range: < 9.1.8-r2
- (no CPE)range: < 9.2.2-r2
- (no CPE)range: < 8.17.10-r5
- (no CPE)range: < 8.17.10-r5
- (no CPE)range: < 8.18.8-r5
- (no CPE)range: < 8.18.8-r5
- (no CPE)range: < 9.1.8-r0
- (no CPE)range: < 9.1.8-r0
- (no CPE)range: < 9.2.2-r2
- (no CPE)range: < 9.2.2-r2
- (no CPE)range: < 8.19.8-r2
- (no CPE)range: < 8.19.8-r2
- (no CPE)range: < 9.1.8-r2
- (no CPE)range: < 9.1.8-r2
- (no CPE)range: < 9.2.2-r2
- (no CPE)range: < 9.2.2-r2
- (no CPE)range: < 2.7.12-r9
- (no CPE)range: < 2.7.12-r9
- (no CPE)range: < 2.7.12-r9
- (no CPE)range: < 2.7.12-r9
- (no CPE)range: < 8.17.10-r5
- (no CPE)range: < 8.17.10-r5
- (no CPE)range: < 8.18.8-r5
- (no CPE)range: < 8.18.8-r5
- (no CPE)range: < 9.1.8-r0
- (no CPE)range: < 9.1.8-r0
- (no CPE)range: < 9.2.2-r2
- (no CPE)range: < 9.2.2-r2
- (no CPE)range: < 8.19.8-r2
- (no CPE)range: < 9.1.8-r2
- (no CPE)range: < 9.2.2-r2
- (no CPE)range: < 0.20251015.172955-r2
- (no CPE)range: < 0.20251015.172955-r2
- (no CPE)range: < 0.20251015.172955-r2
- (no CPE)range: < 0.20251015.172955-r3
- (no CPE)range: < 0.20251015.172955-r2
- (no CPE)range: < 1.33.3-r21
- (no CPE)range: < 1.34.4-r10
- (no CPE)range: < 1.35.4-r6
- (no CPE)range: < 6.0.43-r2
- (no CPE)range: < 6.0.43-r2
- (no CPE)range: < 7.0.22-r2
- (no CPE)range: < 7.0.22-r2
- (no CPE)range: < 7.2.15-r2
- (no CPE)range: < 7.2.15-r2
- (no CPE)range: < 7.4.6-r2
- (no CPE)range: < 7.4.6-r2
- (no CPE)range: < 6.0.43-r2
- (no CPE)range: < 6.0.43-r2
- (no CPE)range: < 7.0.22-r2
- (no CPE)range: < 7.0.22-r2
- (no CPE)range: < 7.2.15-r2
- (no CPE)range: < 7.2.15-r2
- (no CPE)range: < 7.4.6-r2
- (no CPE)range: < 7.4.6-r2
- (no CPE)range: < 1.13.1-r0
- (no CPE)range: < 1.13.1-r0
- (no CPE)range: < 1.15.13-r3
- (no CPE)range: < 1.15.13-r3
- (no CPE)range: < 1.15.13-r3
- (no CPE)range: < 1.15.13-r3
- (no CPE)range: < 1.15.13-r3
- (no CPE)range: < 1.15.13-r3
- (no CPE)range: < 1.15.13-r3
- (no CPE)range: < 1.15.13-r3
- (no CPE)range: < 1.15.13-r3
- (no CPE)range: < 1.15.13-r3
- (no CPE)range: < 1.15.13-r3
- (no CPE)range: < 1.15.13-r3
- (no CPE)range: < 1.15.13-r3
- (no CPE)range: < 2.32.0-r3
- (no CPE)range: < 2.7.12-r9
- (no CPE)range: < 2.7.12-r9
- (no CPE)range: < 2.7.12-r9
- (no CPE)range: < 0.20251015.172955-r2
- (no CPE)range: < 0.20251015.172955-r2
- (no CPE)range: < 0.20251015.172955-r2
- (no CPE)range: < 0.20251015.172955-r2
- (no CPE)range: < 1.33.3-r21
- (no CPE)range: < 1.34.4-r10
- (no CPE)range: < 1.35.4-r6
- (no CPE)range: < 1.5.1
- (no CPE)range: < 0.0.20251230T014957-150000.1.134.1
- Eclipse Foundation/paho.mqtt.golang (Go MQTT v3.1 library)v5Range: 0
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-32fw-gq77-f2f2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-10543ghsaADVISORY
- github.com/alpinelinux/build-server-status/commit/e3487897db32c8c3d0287643f8384a6669e93731ghsaWEB
- github.com/eclipse-paho/paho.mqtt.golang/issues/730ghsaWEB
- github.com/eclipse-paho/paho.mqtt.golang/pull/714ghsaWEB
- gitlab.eclipse.org/security/vulnerability-reports/-/issues/254ghsaWEB
News mentions
0No linked articles in our index yet.