CVE-2024-42649 – NanoMQ v0.22.10 contains a memory leak vulnerab... (How to Fix)

Q: What is the severity of CVE-2024-42649?

CVE-2024-42649 has a CVSS score of 6.5 (MEDIUM). NanoMQ v0.22.10 contains a memory leak vulnerability in its MQTT PUBLISH message handling. Attackers can send crafted PUBLISH messages to gradually consume system memory, eventually causing a Denial of Service (DoS) crash. This affects all systems running the vulnerable NanoMQ version.

📋 TL;DR

NanoMQ v0.22.10 contains a memory leak vulnerability in its MQTT PUBLISH message handling. Attackers can send crafted PUBLISH messages to gradually consume system memory, eventually causing a Denial of Service (DoS) crash. This affects all systems running the vulnerable NanoMQ version.

💻 Affected Systems

Products:

NanoMQ

Versions: v0.22.10

Operating Systems: All platforms running NanoMQ

Default Config Vulnerable: ⚠️ Yes

Notes: Any NanoMQ instance with MQTT PUBLISH functionality enabled is vulnerable. The vulnerability is in the core message handling code.

📦 What is this software?

Nanomq by Emqx

View all CVEs affecting Nanomq →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service outage requiring manual restart, with potential data loss for in-flight messages and disruption to dependent IoT/MQTT applications.

🟠

Likely Case

Gradual performance degradation leading to eventual service crash, requiring restart and causing temporary service disruption.

🟢

If Mitigated

Minimal impact with proper monitoring and automated restart mechanisms in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability requires sending specially crafted MQTT PUBLISH messages. No authentication is required if the MQTT broker allows anonymous connections.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v0.22.11 or later

Vendor Advisory: https://github.com/nanomq/nanomq

Restart Required: Yes

Instructions:

1. Stop the NanoMQ service
2. Backup configuration files
3. Download and install NanoMQ v0.22.11 or later from GitHub releases
4. Restore configuration
5. Start the NanoMQ service

🔧 Temporary Workarounds

Rate Limit MQTT Connections

all

Implement connection rate limiting to reduce the speed of memory consumption

# Configure in nanomq.conf: max_connections = 100
# Or use iptables: iptables -A INPUT -p tcp --dport 1883 -m connlimit --connlimit-above 10 -j DROP

Enable Authentication

all

Require MQTT client authentication to prevent anonymous exploitation

# In nanomq.conf: allow_anonymous = false
# Configure authentication: auth.1.login = username
auth.1.password = password

🧯 If You Can't Patch

Implement network segmentation to isolate NanoMQ from untrusted networks
Deploy memory monitoring with automated restart when thresholds are exceeded

🔍 How to Verify

Check if Vulnerable:

Check NanoMQ version with: nanomq --version

Check Version:

nanomq --version

Verify Fix Applied:

Verify version is v0.22.11 or later and monitor memory usage during normal PUBLISH operations

📡 Detection & Monitoring

Log Indicators:

Rapid increase in memory usage in system logs
NanoMQ crash logs with out-of-memory errors
Unusual volume of MQTT PUBLISH messages from single sources

Network Indicators:

High volume of MQTT PUBLISH packets from suspicious sources
Abnormal connection patterns to port 1883

SIEM Query:

source="nanomq" AND ("out of memory" OR "memory allocation failed" OR "segmentation fault")

📊 Metadata

CVE ID: CVE-2024-42649

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CWE: CWE-401

EPSS Score: 0.1% exploit probability (26.6th percentile)

Published: July 14, 2025

Last Updated: July 16, 2025

🔗 References

https://github.com/nanomq/nanomq Product
https://github.com/songxpu/bug_report/blob/master/MQTT/NanoMQ/CVE-2024-42649.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-42649, you might also want to check these: