Overview
CVE-2025-10543 is a vulnerability found in the Eclipse Paho Go MQTT v3.1 library (paho.mqtt.golang), specifically affecting versions 1.5.0 and earlier. This flaw arises from improper handling of UTF-8 encoded strings exceeding 65535 bytes in length. When such large strings are passed into the library, they may be incorrectly encoded due to an integer overflow. This can lead to sensitive data leaking into unexpected parts of MQTT packets, potentially exposing information such as MQTT topics within the message body of a PUBLISH packet.
Technical Details
The root cause of CVE-2025-10543 lies in the way the Paho Go MQTT library handles the length of incoming data, such as MQTT topics. Internally, the library converts the length of the data (originally stored as an int64 or int32, depending on the system architecture) to an int16 without performing adequate overflow checks. This int16 value is then used to represent the length of the data in the MQTT packet. When the actual data length exceeds 65535 bytes (the maximum value representable by an int16), the conversion to int16 results in a wraparound or truncation.
Consequences of this wraparound are significant. The int16 length field in the packet incorrectly indicates a much smaller data size than the actual size. As a result, the library might write more data (e.g., the MQTT topic) than the length field specifies. This leads to a corrupt packet, and importantly, the excess data beyond the intended length can “leak” into subsequent fields within the MQTT packet. For example, a portion of the MQTT topic could spill over into the message body of a PUBLISH packet. This unintentional data inclusion constitutes a serious information disclosure vulnerability.
CVSS Analysis
Currently, a CVSS score has not been assigned to CVE-2025-10543. A thorough risk assessment should be conducted, considering factors such as the sensitivity of the data handled by the MQTT topics and messages, the accessibility of the MQTT broker, and the potential for malicious actors to exploit this vulnerability.
Severity: N/A
CVSS Score: N/A
Possible Impact
The potential impact of CVE-2025-10543 is substantial:
- Data Leakage: Sensitive information contained within MQTT topics can be exposed in the message body or other parts of MQTT packets.
- Confidentiality Breach: Unauthorized parties could potentially gain access to confidential data through this vulnerability.
- System Compromise: Depending on the content of the leaked data, attackers might be able to gather information useful for further exploitation or system compromise.
- Unexpected Application Behavior: Corrupted MQTT packets can cause the receiving application to behave unpredictably, leading to errors or service disruptions.
Mitigation and Patch Steps
To mitigate CVE-2025-10543, the following steps are recommended:
- Upgrade the Paho Go MQTT Library: Upgrade to a version of the
paho.mqtt.golanglibrary that includes a fix for this vulnerability. Consult the Eclipse Paho project’s release notes for the specific version that addresses this issue. While the specific patched version is unavailable at the time of writing, keep an eye on project releases. - Input Validation: Implement robust input validation and sanitization measures to ensure that UTF-8 encoded strings passed to the MQTT library do not exceed 65535 bytes. Reject or truncate strings that are too long.
- Security Audits: Conduct thorough security audits of your applications that utilize the Paho Go MQTT library to identify and address any potential vulnerabilities related to string handling.
- Implement Network Segmentation: Isolate your MQTT broker and related systems within a secure network segment to limit the potential impact of a successful exploit.
