Heap-Use-After-Free Vulnerability in NanoMQ MQTT Broker by NanoMQ
CVE-2025-66023

6.9MEDIUM

Key Information:

Vendor

NanoMQ

Status
NanoMQ
Vendor
CVE Published:
1 January 2026

What is CVE-2025-66023?

The NanoMQ MQTT Broker presents a vulnerability in its MQTT bridge client component, stemming from a Heap-Use-After-Free issue. This vulnerability is particularly exploited when NanoMQ operates as a bridge to a remote MQTT broker. An attacker-controlled broker can cause a Denial of Service or memory corruption by sending a carefully crafted sequence of malformed packets immediately after establishing a connection. The vulnerability is fixed in version 0.24.5, which implements strict protocol compliance measures, ensuring that the CONNACK packet is processed first to prevent the state confusion that leads to the Heap-Use-After-Free condition. Users are advised to validate remote brokers before bridging connections to mitigate risks.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

nanomq < 0.24.5

References

https://github.com/nanomq/nanomq/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/nanomq/nanomq/issues/2145
x_refsource_MISC
https://github.com/nanomq/NanoNNG/pull/1365
x_refsource_MISC

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.