CVE-2025-56352

Vulnerability

In tinyMQTT commit 6226ade15bd4f97be2d196352e64dd10937c1962 (2024-02-18), the broker mishandles protocol violations during CONNECT packet parsing [1]. When it receives a CONNECT packet with a zero-length Client ID while the CleanSession flag is set to 0, the broker correctly replies with a CONNACK return code 0x02 (Identifier Rejected) but fails to explicitly close the TCP connection [1]. The surrounding connection teardown logic is not guaranteed to execute, meaning each such invalid CONNECT attempt leaves the underlying socket open [1].

Exploitation

An attacker can send many CONNECT packets with a zero-length Client ID and CleanSession=0 from the same or multiple hosts [2]. The broker sends the CONNACK(0x02) but keeps the socket open; the attacker can keep the connection alive by not closing it, for example by sleeping indefinitely [2]. Repeated attempts (as shown in the proof-of-concept with 60000 threads) cause server-side resource exhaustion due to accumulating file descriptors and memory usage [1][2]. No authentication or special network position is required beyond being able to reach the broker's TCP port [2].

Impact

Under sustained attack, the broker exhausts its available file descriptors and memory, becoming unresponsive or being killed by the operating system [1]. This results in a denial of service (DoS) condition, preventing legitimate clients from connecting or receiving messages [1].

Mitigation

No official fix has been released by the vendor as of the publication date. According to the issue report [1], the fix should involve explicitly closing the TCP connection after sending a CONNACK with return code 0x02 for a zero-length Client ID and CleanSession=0. Users who cannot apply a patch may mitigate by implementing network-level rate limiting or firewall rules to restrict the number of connections from a single source, or by monitoring for unusual numbers of half-open connections [1].