Overview
CVE-2025-66217 identifies a critical vulnerability in AIS-catcher, a multi-platform AIS receiver, specifically affecting versions prior to 0.64. This flaw resides within the MQTT parsing logic and stems from an integer underflow. By exploiting this vulnerability, a malicious actor can trigger a substantial Heap Buffer Overflow through a carefully crafted MQTT packet containing a manipulated Topic Length field. This leads to an immediate Denial of Service (DoS) condition and, when AIS-catcher is employed as a library, severe memory corruption which could potentially be exploited for Remote Code Execution (RCE).
Technical Details
The vulnerability is rooted in the way AIS-catcher handles the Topic Length field within MQTT packets. A crafted MQTT packet can cause the topic length calculation to result in an integer underflow. This underflow leads to a small, easily manipulated value being used to allocate a buffer much smaller than the actual topic data being received. Consequently, when the data is written into this undersized buffer, a heap buffer overflow occurs. This overflow corrupts adjacent memory regions. While an immediate DoS is guaranteed, the memory corruption could be leveraged to execute arbitrary code, turning the vulnerability into an RCE scenario, especially when AIS-catcher is used as a library incorporated into larger applications.
Example of the affected code (hypothetical, based on vulnerability description):
// Vulnerable code snippet (illustrative only)
uint16_t topic_length = get_topic_length(packet); // Potentially manipulated by attacker
char* topic_buffer = (char*)malloc(topic_length); // Small buffer allocated due to underflow
if (topic_buffer != NULL) {
copy_topic_data(topic_buffer, packet, topic_length); // Heap buffer overflow occurs here
// ...
free(topic_buffer);
}
CVSS Analysis
Currently, a CVSS score for CVE-2025-66217 is not available (N/A). However, based on the description and potential impact (DoS and RCE), it is likely to be classified as a HIGH or CRITICAL severity vulnerability once a score is assigned.
Possible Impact
- Denial of Service (DoS): The most immediate and readily achievable impact is a DoS. By sending a malformed MQTT packet, an attacker can crash the AIS-catcher application.
- Remote Code Execution (RCE): In scenarios where AIS-catcher is used as a library within a larger application, the heap buffer overflow can be exploited to achieve RCE. This would allow an attacker to execute arbitrary code on the affected system, potentially gaining complete control.
Mitigation or Patch Steps
The vulnerability has been addressed in AIS-catcher version 0.64. Users are strongly advised to upgrade to version 0.64 or later as soon as possible to mitigate the risk. If immediate upgrading is not feasible, consider implementing network-level filtering to block or sanitize MQTT packets from untrusted sources. This could include limiting the maximum allowed size of the Topic Length field in MQTT packets.
To upgrade, download the latest version from the official AIS-catcher repository.
References
- AIS-catcher Commit e0f7242eee659909adc11a4c561c3f7011bdefe7 – Patch addressing the vulnerability.
- AIS-catcher Security Advisory GHSA-93mj-c8q3-69rg – GitHub Security Advisory detailing the vulnerability.
