Login Sign Up

CVE-2024-42645

7.5 HIGH
Denial of Service

📋 TL;DR

An assertion failure vulnerability in FlashMQ v1.14.0 allows attackers to cause a Denial of Service (DoS) by sending a specially crafted retain message. This affects FlashMQ MQTT broker deployments running the vulnerable version, potentially disrupting MQTT messaging services.

💻 Affected Systems

Products:
  • FlashMQ
Versions: v1.14.0 only
Operating Systems: Linux, Windows, macOS
Default Config Vulnerable: ⚠️ Yes
Notes: All FlashMQ deployments running version 1.14.0 are vulnerable regardless of configuration.

📦 What is this software?

Flashmq by Flashmq

View all CVEs affecting Flashmq →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service outage of FlashMQ broker, disrupting all MQTT communications and potentially affecting dependent IoT/automation systems.

🟠

Likely Case

Service crash requiring manual restart, causing temporary disruption to MQTT messaging until service is restored.

🟢

If Mitigated

Minimal impact with proper network segmentation and monitoring allowing quick detection and recovery.

🌐 Internet-Facing: HIGH - Attackers can remotely trigger the DoS without authentication if the broker is exposed to untrusted networks.
🏢 Internal Only: MEDIUM - Internal attackers or compromised devices could still exploit this, but attack surface is reduced.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit requires sending a crafted MQTT retain message, which is trivial for attackers with network access to the broker.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v1.15.1

Vendor Advisory: https://www.flashmq.org/2024/06/17/flashmq-1-15-1-released/

Restart Required: Yes

Instructions:

1. Download FlashMQ v1.15.1 from official repository. 2. Stop FlashMQ service. 3. Replace binary with patched version. 4. Restart FlashMQ service.

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict MQTT broker access to trusted networks only

iptables -A INPUT -p tcp --dport 1883 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 1883 -j DROP

Downgrade to v1.13.x

linux

Revert to previous stable version if immediate patching isn't possible

wget https://github.com/halfgaar/FlashMQ/releases/tag/v1.13.0
tar -xzf flashmq-1.13.0.tar.gz
cd flashmq-1.13.0 && make && sudo make install

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate FlashMQ from untrusted networks
  • Deploy rate limiting on MQTT port 1883 to limit attack impact

🔍 How to Verify

Check if Vulnerable:

Check FlashMQ version: ./flashmq --version should show 1.14.0

Check Version:

./flashmq --version

Verify Fix Applied:

Verify version is 1.15.1 or higher: ./flashmq --version

📡 Detection & Monitoring

Log Indicators:

  • Assertion failure messages in FlashMQ logs
  • Unexpected service termination/crash logs
  • Abnormal retain message patterns

Network Indicators:

  • Unusual MQTT retain message traffic from untrusted sources
  • Multiple connection attempts with retain flags

SIEM Query:

source="flashmq.log" AND ("assertion" OR "crash" OR "terminated")

📊 Metadata

CVE ID: CVE-2024-42645
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-617
EPSS Score: 0.05% exploit probability (16.1th percentile)
Published: July 29, 2025
Last Updated: August 6, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-42645, you might also want to check these:

CVE-2023-37015 8.6

This vulnerability allows remote attackers to cause denial of service by sending malformed ASN.1 pac...

Same vulnerability type (CWE-617)
CVE-2023-37016 8.6

CVE-2023-37016 is a remotely triggerable assertion vulnerability in Open5GS MME that allows denial o...

Same vulnerability type (CWE-617)
CVE-2023-37017 8.6

Open5GS MME versions up to 2.6.4 contain a remotely triggerable assertion via malformed ASN.1 packet...

Same vulnerability type (CWE-617)