CVE-2025-10543 – This vulnerability in Eclipse Paho Go MQTT libr... (How to Fix)

📋 TL;DR

This vulnerability in Eclipse Paho Go MQTT library allows UTF-8 strings longer than 65535 bytes to be incorrectly encoded, potentially causing packet corruption or data leakage between fields. It affects applications using paho.mqtt.golang v1.5.0 and earlier. The issue occurs due to integer overflow when converting data length from int64/int32 to int16 without proper bounds checking.

💻 Affected Systems

Products:

Eclipse Paho Go MQTT client library (paho.mqtt.golang)

Versions: Versions <= 1.5.0

Operating Systems: All platforms running Go applications

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications that pass UTF-8 strings longer than 65535 bytes to the library. Most MQTT topics and messages are much shorter in practice.

📦 What is this software?

Paho Mqtt by Eclipse

View all CVEs affecting Paho Mqtt →

⚠️ Risk & Real-World Impact

🔴

Worst Case

MQTT packets become corrupted causing message loss, or sensitive topic information leaks into message payloads visible to unauthorized subscribers.

🟠

Likely Case

Packet corruption leading to message delivery failures or unexpected application behavior when processing malformed MQTT packets.

🟢

If Mitigated

Limited impact with proper input validation and length checking implemented at application layer.

🌐 Internet-Facing: MEDIUM - MQTT brokers exposed to internet could receive malicious packets, but exploitation requires specific conditions and payloads.

🏢 Internal Only: LOW - Internal MQTT communications typically have controlled clients and predictable payload sizes.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: NO

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires sending specially crafted MQTT packets with very long UTF-8 strings. No authentication needed but requires ability to send packets to vulnerable MQTT client.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 1.5.1 or later

Vendor Advisory: https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/254

Restart Required: Yes

Instructions:

1. Update Go dependencies: go get github.com/eclipse/paho.mqtt.golang@v1.5.1
2. Update go.mod to require v1.5.1+
3. Rebuild and redeploy application
4. Restart all services using the library

🔧 Temporary Workarounds

Input validation at application layer

all

Implement length checking for all UTF-8 strings before passing to MQTT library

// Go code example:
if len(topic) > 65535 {
    return errors.New("topic too long")
}
if len(payload) > 65535 {
    return errors.New("payload too long")
}

🧯 If You Can't Patch

Implement network filtering to block MQTT packets with strings exceeding 65535 bytes
Deploy MQTT brokers with payload size restrictions and monitor for oversized packets

🔍 How to Verify

Check if Vulnerable:

Check go.mod or go.sum for paho.mqtt.golang dependency version <=1.5.0

Check Version:

grep 'github.com/eclipse/paho.mqtt.golang' go.mod

Verify Fix Applied:

Verify go.mod requires github.com/eclipse/paho.mqtt.golang v1.5.1+ and check imported version in code

📡 Detection & Monitoring

Log Indicators:

MQTT connection errors
Packet parsing failures
Unexpected disconnections

Network Indicators:

MQTT packets with UTF-8 strings exceeding 65535 bytes
Malformed MQTT PUBLISH packets

SIEM Query:

source="mqtt_broker" AND (packet_size>65535 OR error="parse_error")

📊 Metadata

CVE ID: CVE-2025-10543

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-197

EPSS Score: 0.04% exploit probability (12.1th percentile)

Published: December 2, 2025

Last Updated: January 16, 2026

🔗 References

https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/254 Issue Tracking,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-10543, you might also want to check these: