CVE-2025-62413
📋 TL;DR
MQTTX versions 1.12.0 contain a Cross-Site Scripting (XSS) vulnerability where malicious MQTT message payloads containing HTML or JavaScript are rendered directly in the message viewer. This allows attackers to execute arbitrary scripts in the application UI context, potentially accessing MQTT connection credentials or triggering unintended actions. Users of MQTTX 1.12.0 who connect to untrusted or multi-tenant MQTT brokers are affected.
💻 Affected Systems
- MQTTX
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal MQTT connection credentials, manipulate MQTTX UI to send malicious messages, or perform actions as the user within the application context.
Likely Case
Attackers could execute JavaScript in the MQTTX UI to display misleading information, capture user interactions, or attempt to access stored connection data.
If Mitigated
With proper input validation and output encoding, malicious payloads would be displayed as plain text without script execution.
🎯 Exploit Status
Exploitation requires the victim to view a malicious MQTT message in MQTTX. Attackers need to publish messages to a broker the victim subscribes to.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.12.1
Vendor Advisory: https://github.com/emqx/MQTTX/security/advisories/GHSA-29gf-9r9v-j4m3
Restart Required: No
Instructions:
1. Download MQTTX 1.12.1 from the official GitHub releases page. 2. Install the update over your existing installation. 3. No restart required - the fix applies immediately.
🔧 Temporary Workarounds
Downgrade to previous version
allRevert to MQTTX version 1.11.x or earlier which does not contain the vulnerable code.
Download MQTTX 1.11.2 from https://github.com/emqx/MQTTX/releases/tag/v1.11.2
Uninstall current version
Install version 1.11.2
Avoid untrusted brokers
allOnly connect to trusted MQTT brokers where you control all message publishers.
🧯 If You Can't Patch
- Do not use MQTTX 1.12.0 for production or sensitive environments
- Use alternative MQTT clients until patching is possible
🔍 How to Verify
Check if Vulnerable:
Check MQTTX version in Help > About. If version is exactly 1.12.0, you are vulnerable.Check Version:
In MQTTX: Help > AboutVerify Fix Applied:
After updating, verify version shows 1.12.1 or higher in Help > About.📡 Detection & Monitoring
Log Indicators:
- Unusual HTML or script tags in MQTT message logs
- Unexpected JavaScript execution in application logs
Network Indicators:
- MQTT messages containing HTML/JavaScript payloads published to brokers
SIEM Query:
source="mqttx" AND (message="<script>" OR message="javascript:" OR message="onerror=" OR message="onload=")