Mosquitto is a widely used open-source message broker that facilitates communications between different devices using the MQTT (Message Queuing Telemetry Transport) protocol. Unfortunately, a recently discovered vulnerability, CVE-2023-0809, allows an attacker to cause excessive memory allocation, leading to a Denial-of-Service (DoS) attack, by sending malicious initial packets that are not CONNECT packets to the Mosquitto server. In this post, we will discuss the details of the vulnerability, provide a code snippet to demonstrate the problem, and delve into exploit details. Moreover, links to the original references will be provided for deep investigation.

Vulnerability Details

The vulnerability in question is in the Mosquitto server before version 2..16. An attacker can send malicious initial packets with the first byte in their fixed header not correctly set to the MQTT packet type for CONNECT (x10) when connecting to the Mosquitto service. This causes the server to allocate memory based on the size of individual packets, eventually leading to excessive memory allocation in the system and a possible DoS condition. The official Common Vulnerabilities and Exposures (CVE) page for the vulnerability can be found here:

Affected Versions

The affected versions include Mosquitto before version 2..16. Updating to Mosquitto 2..16 or later mitigates the vulnerability.

Code Snippet

The following Python script demonstrates how an attacker may exploit the vulnerability and cause a DoS attack on the Mosquitto server:

import socket
import time

TARGET_IP = "target_ip_address"

def create_malicious_packet(packet_size):
    packet = b"\x00" * packet_size
    return packet

def send_malicious_packets(ip, port, packet_size):
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((ip, port))

    while True:
        malicious_packet = create_malicious_packet(packet_size)

send_malicious_packets(TARGET_IP, TARGET_PORT, PACKET_SIZE)

Replace target_ip_address with the Mosquitto server's IP address. Running this script will continuously send malicious packets to the target Mosquitto server, causing excessive memory allocation and potentially leading to a DoS attack.

Exploit Details

When a client connects to a Mosquitto server using the MQTT protocol correctly, it sends an initial CONNECT packet, indicating the start of the connection process. The server expects this packet to have a specific format according to the MQTT protocol. However, the vulnerability lies in the Mosquitto server's handling of packets that are not correctly formatted CONNECT packets, leading to excessive memory allocation.

The script provided above demonstrates how to craft malicious packets with the first byte not set to x10 (the packet type identifier for CONNECT). When these packets are sent to a Mosquitto server (before version 2..16), it continues to allocate memory without properly verifying the packet type, eventually causing a DoS condition.

1. Official CVE page:

2. Mosquitto GitHub repository:

3. Mosquitto Releases and Patches:


In conclusion, CVE-2023-0809 is a vulnerability in Mosquitto caused by the improper handling of initial packets that are not correctly formatted CONNECT packets. The vulnerability can lead to excessive memory allocation, potentially causing a DoS condition. Updating Mosquitto servers to version 2..16 or later is recommended to mitigate the vulnerability.


Published on: 10/02/2023 19:15:09 UTC
Last modified on: 01/07/2024 10:15:08 UTC