CVE-2025-68699— NanoMQ $share/ Subscription Validation and Forwarding Parsing Inconsistency: NULL Pointer Increment Causes Crash
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-68699
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
NanoMQ $share/ Subscription Validation and Forwarding Parsing Inconsistency: NULL Pointer Increment Causes Crash
Source: NVD (National Vulnerability Database)
Vulnerability Description
NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. In version 0.24.6, NanoMQ has a protocol parsing / forwarding inconsistency when handling shared subscriptions ($share/). A malformed SUBSCRIBE topic such as $share/ab (missing the second /) is not strictly validated during the subscription stage, so the invalid Topic Filter is stored into the subscription table. Later, when any PUBLISH matches this subscription, the broker send path (nmq_pipe_send_start_v4/v5) performs a second $share/ parsing using strchr() and increments the returned pointer without NULL checks. If the second strchr() returns NULL, sub_topic++ turns the pointer into an invalid address (e.g. 0x1). This invalid pointer is then passed into topic_filtern(), which triggers strlen() and crashes with SIGSEGV. The crash is stable and remotely triggerable. This issue has been patched in version 0.24.7.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
空指针解引用
Source: NVD (National Vulnerability Database)
Vulnerability Title
NanoMQ 代码问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
NanoMQ是美国EMQ开源的一款用于物联网边缘平台的轻量级快速 MQTT Broker。 NanoMQ 0.24.6版本存在代码问题漏洞,该漏洞源于处理共享订阅时协议解析或转发不一致,可能导致远程触发崩溃。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2025-68699
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-68699
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same product: nanomq
- CVE-2026-32135
NanoMQ has Heap Buffer Overflow in URI Parameter Parsing - CVE-2026-34608
nanomq: Heap-Buffer-Overflow in webhook_inproc.c via cJSON_P - CVE-2026-32696
NanoMQ HTTP Auth: Missing username/password can trigger a NU - CVE-2026-25627
nanomq: OOB Read / Crash (DoS) via Malformed MQTT Remaining - CVE-2026-21888
MQTT v5 Variable Byte Integer parsing out-of-bounds: get_var
Same vendor: nanomq
- CVE-2026-32135
NanoMQ has Heap Buffer Overflow in URI Parameter Parsing - CVE-2026-34608
nanomq: Heap-Buffer-Overflow in webhook_inproc.c via cJSON_P - CVE-2026-32696
NanoMQ HTTP Auth: Missing username/password can trigger a NU - CVE-2026-25627
nanomq: OOB Read / Crash (DoS) via Malformed MQTT Remaining - CVE-2026-21888
MQTT v5 Variable Byte Integer parsing out-of-bounds: get_var
Same weakness: CWE-476
- CVE-2026-8252
Open5GS SMF smf_nsmf_handle_create_data_in_hsmf null pointer - CVE-2026-7259
Null pointer dereference in php_mb_check_encoding() via mb_e - CVE-2026-7262
NULL pointer dereference in SOAP apache:Map decoder with mis - CVE-2026-42183
Argo Workflows: SSO RBAC Delegation Nil Pointer Dereference - CVE-2026-6666
PgBouncer crash in kill_pool_logins_server_error
V. Comments for CVE-2025-68699
No comments yet