The first release candidate for Mosquitto 2.1.0 is now available for testing. If no release critical issues are reported, this will become 2.1.0 on 2026-01-26.

The source and binary packages are available:

• Source
• Windows 64-bit
• Windows 32-bit
• Debian (amd64, armhf) (note: the final release version will be available in the normal repository)
• Ubuntu (amd64) (note: the final release version will be available in the normal repository)
• Snap (amd64, arm64): snap refresh --edge mosquitto or snap install --edge mosquitto

For ease of testing there are now some binaries available for testing the upcoming 2.1 release. We would strongly urge everyone using mosquitto to test out these versions and provide feedback if anything doesn't work as you expect.

The version in these binaries is listed as 2.0.99.

There are currently three options available:

Snap

For the x86_64 architecture only.

Update to the edge channel to get the test:

snap refresh --channel=edge mosquitto

Revert to normal using:

snap refresh --channel=stable mosquitto

Windows

Download the 64-bit installer

Docker

The mosquitto docker images are provided the the Official Images program by Docker, it would not be appropriate to put test images there. Given the restrictions Docker Hub places on pull images we are also looking at alternatives. Until the 2.1 release is made, testing images will be available hosted by Cedalo. Cedalo provide a paid version of mosquitto with enterprise features.

Note that the images are produced in a slightly different way to the normal images, so there is some wasted space. This is not representative of the final images.

docker pull registry.cedalo.com/eclipse-mosquitto-2.1-testing/mosquitto:latest

Other

We would like to provide Debian packages, but they are still in progress and we didn't want to delay the other binaries.

Version 2.0.22 of Mosquitto has been released. This is a bugfix release.

Broker

• Windows: Fix broker crash on startup if using log_dest stdout
• Bridge: Fix idle_timeout never occurring for lazy bridges.
• Fix case where max_queued_messages = 0 was not treated as unlimited. Closes #3244.
• Fix --version exit code and output. Closes #3267.
• Fix crash on receiving a $CONTROL message over a bridge, if per_listener_settings is set true and the bridge is carrying out topic remapping. Closes #3261.
• Fix incorrect reference clock being selected on startup on Linux. Closes #3238.
• Fix reporting of client disconnections being incorrectly attributed to "out of memory". Closes #3253.
• Fix compilation when using WITH_OLD_KEEPALIVE. Closes #3250.
• Add Windows linker file for the broker to the installer. Closes #3269.
• Fix Websockets PING not being sent on Windows. Closes #3272.
• Fix problems with secure websockets. Closes #1211.
• Fix crash on exit when using WITH_EPOLL=no. Closes #3302.
• Fix clients being incorrectly expired when they have keepalive == max_keepalive. Closes #3226, #3286.

Dynamic security plugin

• Fix mismatch memory free when saving config which caused memory tracking to be incorrect.

Client library

• Fix C++ symbols being removed when compiled with link time optimisation. Closes #3259.
• TLS error handling was incorrectly setting a protocol error for non-TLS errors. This would cause the mosquitto_loop_start() thread to exit if no broker was available on the first connection attempt. This has been fixed. Closes #3258.
• Fix linker errors on some architectures using cmake. Closes #3167.

Tests: - Fix 08-ssl-connect-cert-auth-expired and 08-ssl-connect-cert-auth-revoked tests when running on a single CPU system. Closes #3230.

Version 2.0.21 of Mosquitto has been released. This is a security and bugfix release.

Security: - Fix leak on malicious SUBSCRIBE by authenticated client. Closes [eclipse #248]. - Further fix for CVE-2023-28366.

Broker

• Fix clients sending a RESERVED packet not being quickly disconnected. Closes #2325.
• Fix bind_interface producing an error when used with an interface that has an IPv6 link-local address and no other IPv6 addresses. Closes #2696.
• Fix mismatched wrapped/unwrapped memory alloc/free in properties. Closes #3192.
• Fix allow_anonymous false not being applied in local only mode. Closes #3198.
• Add retain_expiry_interval option to fix expired retained message not being removed from memory if they are not subscribed to. Closes #3221.
• Produce an error if invalid combinations of cafile/capath/certfile/keyfile are used. Closes #1836. Closes #3130.
• Backport keepalive checking from develop to fix problems in current implementation. Closes #3138.

Client library

• Fix potential deadlock in mosquitto_sub if -W is used. Closes #3175.

Apps

• mosquitto_ctrl dynsec now also allows -i to specify a clientid as well as -c. This matches the documentation which states -i. Closes #3219. Client library:
• Fix threads linking on Windows for static libmosquitto library Closes #3143

Build

• Fix Windows builds not having websockets enabled.
• Add tzdata to docker images

Tests

• Fix 08-ssl-connect-cert-auth-expired and 08-ssl-connect-cert-auth-revoked tests when under load. Closes #3208.

Version 2.0.20 of Mosquitto has been released. This is a bugfix release.

Broker

• Fix QoS 1 / QoS 2 publish incorrectly returning "no subscribers". Closes #3128.
• Open files with appropriate access on Windows. Closes #3119.
• Don't allow invalid response topic values.
• Fix some strict protocol compliance issues. Closes #3052.

Client library

• Fix cmake build on OS X. Closes #3125.

Build

• Fix build on NetBSD

Version 2.0.19 of Mosquitto has been released. This is a security and bugfix release.

Security

• Fix mismatched subscribe/unsubscribe with normal/shared topics.
• Fix crash on bridge using remapped topic being sent a crafted packet.
• Don't allow SUBACK with missing reason codes in client library.

Broker

• Fix assert failure when loading a persistence file that contains subscriptions with no client id.
• Fix local bridges being incorrectly expired when persistent_client_expiration is in use.
• Fix use of CLOCK_BOOTTIME for getting time. Closes #3089.
• Fix mismatched subscribe/unsubscribe with normal/shared topics.
• Fix crash on bridge using remapped topic being sent a crafted packet.

Client library

• Fix some error codes being converted to string as "unknown". Closes #2579.
• Clear SSL error state to avoid spurious error reporting. Closes #3054.
• Fix "payload format invalid" not being allowed as a PUBREC reason code.
• Don't allow SUBACK with missing reason codes.

Build

• Thread support is re-enabled on Windows.

Version 2.0.18 of Mosquitto has been released. This is a bugfix release.

Broker: - Fix crash on subscribe under certain unlikely conditions. Closes #2885. Closes #2881.

Clients: - Fix mosquitto_rr not honouring -R. Closes #2893.

Version 2.0.16 of Mosquitto has been released. This is a security and bugfix release.

Security

• CVE-2023-28366: Fix memory leak in broker when clients send multiple QoS 2 messages with the same message ID, but then never respond to the PUBREC commands.
• CVE-2023-0809: Fix excessive memory being allocated based on malicious initial packets that are not CONNECT packets.
• CVE-2023-3592: Fix memory leak when clients send v5 CONNECT packets with a will message that contains invalid property types.
• Broker will now reject Will messages that attempt to publish to $CONTROL/.
• Broker now validates usernames provided in a TLS certificate or TLS-PSK identity are valid UTF-8.
• Fix potential crash when loading invalid persistence file.
• Library will no longer allow single level wildcard certificates, e.g. *.com

Broker

• Fix $SYS messages being expired after 60 seconds and hence unchanged values disappearing.
• Fix some retained topic memory not being cleared immediately after used.
• Fix error handling related to the bind_interface option.
• Fix std* files not being redirected when daemonising, when built with assertions removed. Closes #2708.
• Fix default settings incorrectly allowing TLS v1.1. Closes #2722.
• Use line buffered mode for stdout. Closes #2354. Closes #2749.
• Fix bridges with non-matching cleansession/local_cleansession being expired on start after restoring from persistence. Closes #2634.
• Fix connections being limited to 2048 on Windows. The limit is now 8192, where supported. Closes #2732.
• Broker will log warnings if sensitive files are world readable/writable, or if the owner/group is not the same as the user/group the broker is running as. In future versions the broker will refuse to open these files.
• mosquitto_memcmp_const is now more constant time.
• Only register with DLT if DLT logging is enabled.
• Fix any possible case where a json string might be incorrectly loaded. This could have caused a crash if a textname or textdescription field of a role was not a string, when loading the dynsec config from file only.
• Dynsec plugin will not allow duplicate clients/groups/roles when loading config from file, which matches the behaviour for when creating them.
• Fix heap overflow when reading corrupt config with "log_dest file".

Client library

• Use CLOCK_BOOTTIME when available, to keep track of time. This solves the problem of the client OS sleeping and the client hence not being able to calculate the actual time for keepalive purposes. Closes #2760.
• Fix default settings incorrectly allowing TLS v1.1. Closes #2722.
• Fix high CPU use on slow TLS connect. Closes #2794.

Clients

• Fix incorrect topic-alias property value in mosquitto_sub json output.
• Fix confusing message on TLS certificate verification. Closes #2746.

Apps

• mosquitto_passwd uses mkstemp() for backup files.
• mosquitto_ctrl dynsec init will refuse to overwrite an existing file, without a race-condition.

Version 2.0.17 of Mosquitto has been released. This is a bugfix release.

Broker: - Fix max_queued_messages 0 stopping clients from receiving messages. Closes #2879. - Fix max_inflight_messages not being set correctly. Closes #2876.

Apps: - Fix mosquitto_passwd -U backup file creation. Closes #2873.

Versions 2.0.15 of Mosquitto has been released. This is a security and bugfix release.

Security

• Deleting the group configured as the anonymous group in the Dynamic Security plugin, would leave a dangling pointer that could lead to a single crash. This is considered a minor issue - only administrative users should have access to dynsec, the impact on availability is one-off, and there is no associated loss of data. It is now forbidden to delete the group configured as the anonymous group.

Broker

• Fix memory leak when a plugin modifies the topic of a message in MOSQ_EVT_MESSAGE.
• Fix bridge restart_timeout not being honoured.
• Fix potential memory leaks if a plugin modifies the message in the MOSQ_EVT_MESSAGE event.
• Fix unused flags in CONNECT command being forced to be 0, which is not required for MQTT v3.1. Closes #2522.
• Improve documentation of persistent_client_expiration option. Closes #2404.
• Add clients to session expiry check list when restarting and reloading from persistence. Closes #2546.
• Fix bridges not sending failure notification messages to the local broker if the remote bridge connection fails. Closes #2467. Closes #1488.
• Fix some PUBLISH messages not being counted in $SYS stats. Closes #2448.
• Fix incorrect return code being sent in DISCONNECT when a client session is taken over. Closes #2607.
• Fix confusing "out of memory" error when a client is kicked in the dynamic security plugin. Closes #2525.
• Fix confusing error message when dynamic security config file was a directory. Closes #2520.
• Fix bridge queued messages not being persisted when local_cleansession is set to false and cleansession is set to true. Closes #2604.
• Dynamic security: Fix modifyClient and modifyGroup commands to not modify the client/group if a new group/client being added is not valid. Closes #2598.
• Dynamic security: Fix the plugin being able to be loaded twice. Currently only a single plugin can interact with a unique $CONTROL topic. Using multiple instances of the plugin would produce duplicate entries in the config file. Closes #2601. Closes #2470.
• Fix case where expired messages were causing queued messages not to be delivered. Closes #2609.
• Fix websockets not passing on the X-Forwarded-For header.

Client library

• Fix threads library detection on Windows under cmake. Bumps the minimum cmake version to 3.1, which is still ancient.
• Fix use of MOSQ_OPT_TLS_ENGINE being unable to be used due to the openssl ctx not being initialised until starting to connect. Closes #2537.
• Fix incorrect use of SSL_connect. Closes #2594.
• Don't set SIGPIPE to ignore, use MSG_NOSIGNAL instead. Closes #2564.
• Add documentation of struct mosquitto_message to header. Closes #2561.
• Fix documentation omission around mosquitto_reinitialise. Closes #2489.
• Fix use of MOSQ_OPT_SSL_CTX when used in conjunction with MOSQ_OPT_SSL_CTX_DEFAULTS. Closes #2463.
• Fix failure to close thread in some situations. Closes #2545.

Clients

• Fix mosquitto_pub incorrectly reusing topic aliases when reconnecting. Closes #2494.

Apps

• Fix -o not working in mosquitto_ctrl, and typo in related documentation. Closes #2471.