Security advisory: CVE-2017-7651, CVE-2017-7652

Mosquitto 1.4.15 has been released to address two security vulnerabilities.


A vulnerability exists in all Mosquitto versions up to and including 1.4.14 known as CVE-2017-7651.

Unauthenticated clients can send a crafted CONNECT packet which causes large amounts of memory use in the broker. If multiple clients do this, an out of memory situation can occur and the system may become unresponsive or the broker will be killed by the operating system.

The issue is fixed in Mosquitto 1.4.15. Patches for older versions are available at

The fix addresses the problem by limiting the permissible size for CONNECT packet, and by adding a memory_limit configuration option that allows the broker to self limit the amount of memory it uses.

Thanks to Felipe Balabanian for finding this vulnerability and responsibly reporting it.


A vulnerability exists in Mosquitto versions 1.0 to 1.4.14 inclusive known as CVE-2017-7652.

If the broker has exhausted all of its free sockets/file descriptors and then a SIGHUP signal is received to trigger reloading of the configuration, then the reloading will fail. This results in many of the configuration options, including security options, being set to their default value. This means that authorisation and access control may no longer be in place.

The issue is fixed in Mosquitto 1.4.15. Patches for older versions are available at

The fix addresses the problem by only copying the new configuration options to the in use configuration after a successful reload has taken place.

Version 1.4.15 Changes

The complete list of fixes addressed in version 1.4.15 is:


  • Fix CVE-2017-7652. If a SIGHUP is sent to the broker when there are no more file descriptors, then opening the configuration file will fail and security settings will be set back to their default values.
  • Fix CVE-2017-7651. Unauthenticated clients can cause excessive memory use by setting "remaining length" to be a large value. This is now mitigated by limiting the size of remaining length to valid values. A memory_limit configuration option has also been added to allow the overall memory used by the broker to be limited.


  • Use constant time memcmp for password comparisons.
  • Fix incorrect PSK key being used if it had leading zeroes.
  • Fix memory leak if a client provided a username/password for a listener with use_identity_as_username configured.
  • Fix use_identity_as_username not working on websockets clients.
  • Don't crash if an auth plugin returns MOSQ_ERR_AUTH for a username check on a websockets client. Closes #490.
  • Fix test when using async dns lookups. Closes #507.
  • Lines in the config file are no longer limited to 1024 characters long. Closes #652.
  • Fix $SYS counters of messages and bytes sent when message is sent over a Websockets. Closes #250.
  • Fix upgrade_outgoing_qos for retained message. Closes #534.
  • Fix CONNACK message not being sent for unauthorised connect on websockets. Closes #8.

Client library

  • Fix incorrect PSK key being used if it had leading zeroes.
  • Initialise "result" variable as soon as possible in mosquitto_topic_matches_sub. Closes #654.
  • No need to close socket again if setting non-blocking failed. Closes #649.
  • Fix mosquitto_topic_matches_sub() not correctly matching foo/bar against foo/+/#. Closes #670.


  • Correctly handle empty files with mosquitto_pub -l. Closes #676.


  • Don't run TLS-PSK tests if TLS-PSK disabled at compile time. Closes #636.

Version 1.4.14 released

This is a bugfix release.

Version 1.4.13 contained a regression that meant persistence data was only being saved after client information had been freed. This release fixes that.

If you use persistence then it is strongly recommended to avoid 1.4.13 so you do not suffer data loss.

Version 1.4.13 released

This is a bugfix and security release.


  • Fix CVE-2017-9868. The persistence file was readable by all local users, potentially allowing sensitive information to be leaked. This can also be fixed administratively, by restricting access to the directory in which the persistence file is stored.


  • Fix for poor websockets performance.
  • Fix lazy bridges not timing out for idle_timeout. Closes #417.
  • Fix problems with large retained messages over websockets. Closes #427.
  • Set persistence file to only be readable by owner, except on Windows. Closes #468.
  • Fix CONNECT check for reserved=0, as per MQTT v3.1.1 check MQTT-3.1.2-3.
  • When the broker stop, wills for any connected clients are now "sent". Closes #477.
  • Auth plugins can be configured to disable the check for +# in usernames/client ids with the auth_plugin_deny_special_chars option. Partially closes #462.
  • Restrictions for CVE-2017-7650 have been relaxed - '/' is allowed in usernames/client ids.
  • Remainder of fix for #462.


  • Don't use / in auto-generated client ids.

Security advisory: CVE-2017-9868

A vulnerability exists in Mosquitto versions 0.15 to 1.4.12 inclusive known as CVE-2017-9868.

If persistence is enabled, then the persistence file is created world readable, which has the potential to make sensitive information available to any local user.

Patches are available to fix this for Unix like operating systems (i.e. not Windows):

This will be fixed in version 1.4.13, due to be released shortly.

This can also be fixed administratively by removing world read permissions for the directory that the persistence file is stored in. In many systems this can be achieved with:

chmod 700 /var/lib/mosquitto

Citing Eclipse Mosquitto in your academic paper

A short paper has been published on Mosquitto in The Journal of Open Source Software If you use Mosquitto in your academic work, please now use this paper as your citation.

R. A. Light, "Mosquitto: server and client implementation of the MQTT protocol," The Journal of Open Source Software, vol. 2, no. 13, May 2017, DOI: 10.21105/joss.00265

The paper link is

A [bibtex] entry is available.

Security advisory: CVE-2017-7650

A vulnerability exists in Mosquitto versions 0.15 to 1.4.11 inclusive known as CVE-2017-7650.

Pattern based ACLs can be bypassed by clients that set their username/client id to '#' or '+'. This allows locally or remotely connected clients to access MQTT topics that they do have the rights to. The same issue may be present in third party authentication/access control plugins for Mosquitto.

The vulnerability only comes into effect where pattern based ACLs are in use, or potentially where third party plugins are in use.

The issue is fixed in Mosquitto 1.4.12, which has just been released. Patches for older versions are available at

The fix addresses the problem by restricting access for clients with a '#', '+', or '/' in their username or client id. '/' has been included in the list of characters disallowed because it also has a special meaning in a topic and may represent an additional risk. The restriction placed on clients is that they may not receive or send messages that are subject to a pattern based ACL check, nor any message that is subject to a plugin check.

Thanks to Artem Zinenko from HackerDom CTF team for finding this vulnerability and responsibly reporting it.

Complete list of fixes addressed in version 1.4.12:


  • Fix mosquitto.db from becoming corrupted due to client messages being persisted with no stored message. Closes #424.
  • Fix bridge not restarting properly. Closes #428.
  • Fix unitialized memory in gets_quiet on Windows. Closes #426.
  • Fix building with WITH_ADNS=no for systems that don't use glibc. Closes #415.
  • Fixes to
  • Fix deprecation warning for OpenSSL 1.1. PR #416.
  • Don't segfault on duplicate bridge names. Closes #446.
  • Fix CVE-2017-7650.

Version 1.4.11 released

This is a bugfix release.


  • Fix crash when "lazy" type bridge attempts to reconnect. Closes #259.
  • maximum_connections now applies to websockets listeners. Closes #271.
  • Allow bridges to use TLS with IPv6.
  • Don't error on zero length persistence files. Closes #316.
  • For http only websockets clients, close files served over http in all cases when the client disconnects. Closes #354.
  • Fix error message when websockets http_dir directory does not exist.
  • Improve password utility error message. Closes #379.
  • Bridges can use asynchronous DNS lookups on systems with glibc. This can be enabled at compile time using WITH_ADNS=yes.


  • Use of --ciphers no longer requires you to also pass --tls-version. Closes #380.

Client library

  • Clients can now use TLS with IPv6.
  • Fix potential socket leakage when reconnecting. Closes #304.
  • Fix potential negative timeout being passed to pselect. Closes #329.

Pre Christmas Update

I have taken a bit of a break from Mosquitto for the past few months, partly because I needed a break but also to work on another unrelated project. I'm now back and working on Mosquitto again, primarily implementing support for the upcoming MQTT v5 spec which has added even more features since I mentioned last wrote about it. Once that is in a state that is reasonably compliant if incomplete, I will be looking for testers.

There are a few fixes in the repository waiting for release, I anticipate releasing 1.4.11 before the end of the year.

There have been some changes to On its original host I was seeing lots of bandwidth being used by lots of clients, but in particular lots and lots of tiny connections being made which not showing up on my bandwidth monitoring, but were consuming bandwidth and causing problems at my provider. My provider got in touch to say that at times approximately half of the network flows for their network were related to, and could would I please have a chat with the transit provider to discuss how best to manage this service. In the face of that and the risk of exceeding 2TB bandwidth usage per month, has been moved to a lower spec host with smaller pipes and "automatic DDOS protection". This means I now get half a dozen emails per day to say that is under attack. If you find you can't connect to, it might be because you have been blocked by this DDOS protection - if so, maybe think about how you are using the service.

The final thought for this post - if you are part of a company that uses mosquitto and it adds value to your company, please consider making a donation to the project that reflects that value. If it is difficult for your company to make donations but you would still like to contribute back, please get in touch and maybe we can arrange something.