Login Sign Up

CVE-2023-5632

7.5 HIGH
Denial of Service

📋 TL;DR

This vulnerability in Eclipse Mosquitto allows denial-of-service attacks by establishing connections without sending data, causing excessive CPU consumption through EPOLLOUT events. It affects all users running Mosquitto versions up to and including 2.0.5. The vulnerability can be exploited remotely without authentication.

💻 Affected Systems

Products:
  • Eclipse Mosquitto
Versions: All versions up to and including 2.0.5
Operating Systems: All operating systems running Mosquitto
Default Config Vulnerable: ⚠️ Yes
Notes: All configurations are vulnerable; no special configuration required for exploitation.

📦 What is this software?

Mosquitto by Eclipse

View all CVEs affecting Mosquitto →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to CPU exhaustion, preventing legitimate MQTT clients from connecting or communicating.

🟠

Likely Case

Degraded performance and intermittent service disruptions as CPU resources are consumed by malicious connections.

🟢

If Mitigated

Minimal impact with proper network segmentation and rate limiting in place.

🌐 Internet-Facing: HIGH - Remote unauthenticated exploitation makes internet-facing instances particularly vulnerable.
🏢 Internal Only: MEDIUM - Internal attackers could still exploit this, but network segmentation reduces exposure.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires only establishing TCP connections without sending MQTT data, making it trivial to implement.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.0.6

Vendor Advisory: https://github.com/eclipse/mosquitto/commit/18bad1ff32435e523d7507e9b2ce0010124a8f2d

Restart Required: Yes

Instructions:

1. Download Mosquitto 2.0.6 or later from official sources. 2. Stop the Mosquitto service. 3. Install the new version. 4. Restart the Mosquitto service.

🔧 Temporary Workarounds

Connection Rate Limiting

linux

Implement network-level rate limiting to restrict the number of new connections per second.

iptables -A INPUT -p tcp --dport 1883 -m state --state NEW -m limit --limit 10/second --limit-burst 20 -j ACCEPT
iptables -A INPUT -p tcp --dport 1883 -m state --state NEW -j DROP

🧯 If You Can't Patch

  • Implement network segmentation to isolate Mosquitto instances from untrusted networks
  • Deploy Web Application Firewall (WAF) or network firewall rules to detect and block connection flooding patterns

🔍 How to Verify

Check if Vulnerable:

Check Mosquitto version: if version is 2.0.5 or earlier, the system is vulnerable.

Check Version:

mosquitto --version

Verify Fix Applied:

Verify Mosquitto version is 2.0.6 or later and monitor CPU usage during connection attempts.

📡 Detection & Monitoring

Log Indicators:

  • High rate of new connections without subsequent MQTT packets
  • Unusually high CPU usage by mosquitto process

Network Indicators:

  • Multiple TCP connections to port 1883/8883 with no data exchange
  • Connection attempts from single IP addresses at high frequency

SIEM Query:

source="mosquitto.log" AND "new connection" | stats count by src_ip | where count > 100

📊 Metadata

CVE ID: CVE-2023-5632
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-834
Published: October 18, 2023
Last Updated: June 25, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-5632, you might also want to check these:

CVE-2021-39204 7.5

This CVE describes a denial-of-service vulnerability in Envoy's HTTP/2 stream reset handling that af...

Same vulnerability type (CWE-834)
CVE-2021-4190 7.5

This vulnerability in Wireshark's Kafka dissector allows attackers to cause a denial of service by t...

Same vulnerability type (CWE-834)
CVE-2025-62707 7.5

CVE-2025-62707 is a denial-of-service vulnerability in pypdf, a popular Python PDF library. Attacker...

Same vulnerability type (CWE-834)