CVE-2025-68699 (GCVE-0-2025-68699)

Vulnerability from cvelistv5 – Published: 2026-02-04 19:25 – Updated: 2026-02-04 19:51
VLAI?
Title
NanoMQ $share/ Subscription Validation and Forwarding Parsing Inconsistency: NULL Pointer Increment Causes Crash
Summary
NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. In version 0.24.6, NanoMQ has a protocol parsing / forwarding inconsistency when handling shared subscriptions ($share/). A malformed SUBSCRIBE topic such as $share/ab (missing the second /) is not strictly validated during the subscription stage, so the invalid Topic Filter is stored into the subscription table. Later, when any PUBLISH matches this subscription, the broker send path (nmq_pipe_send_start_v4/v5) performs a second $share/ parsing using strchr() and increments the returned pointer without NULL checks. If the second strchr() returns NULL, sub_topic++ turns the pointer into an invalid address (e.g. 0x1). This invalid pointer is then passed into topic_filtern(), which triggers strlen() and crashes with SIGSEGV. The crash is stable and remotely triggerable. This issue has been patched in version 0.24.7.
Severity ?
6.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CWE
  • CWE-476 - NULL Pointer Dereference
Assigner
References
Impacted products
Vendor Product Version
nanomq nanomq Affected: = 0.24.6
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-68699",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-04T19:43:58.427047Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-04T19:51:10.769Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "nanomq",
          "vendor": "nanomq",
          "versions": [
            {
              "status": "affected",
              "version": "= 0.24.6"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. In version 0.24.6, NanoMQ has a protocol parsing / forwarding inconsistency when handling shared subscriptions ($share/). A malformed SUBSCRIBE topic such as $share/ab (missing the second /) is not strictly validated during the subscription stage, so the invalid Topic Filter is stored into the subscription table. Later, when any PUBLISH matches this subscription, the broker send path (nmq_pipe_send_start_v4/v5) performs a second $share/ parsing using strchr() and increments the returned pointer without NULL checks. If the second strchr() returns NULL, sub_topic++ turns the pointer into an invalid address (e.g. 0x1). This invalid pointer is then passed into topic_filtern(), which triggers strlen() and crashes with SIGSEGV. The crash is stable and remotely triggerable. This issue has been patched in version 0.24.7."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-476",
              "description": "CWE-476: NULL Pointer Dereference",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-04T19:25:12.716Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/nanomq/nanomq/security/advisories/GHSA-qv5f-c6v2-2f8h",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/nanomq/nanomq/security/advisories/GHSA-qv5f-c6v2-2f8h"
        },
        {
          "name": "https://github.com/nanomq/nanomq/commit/89d68d678e7f841ae7baa45cba8d9bc7ddc9ef4b",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/nanomq/nanomq/commit/89d68d678e7f841ae7baa45cba8d9bc7ddc9ef4b"
        }
      ],
      "source": {
        "advisory": "GHSA-qv5f-c6v2-2f8h",
        "discovery": "UNKNOWN"
      },
      "title": "NanoMQ $share/ Subscription Validation and Forwarding Parsing Inconsistency: NULL Pointer Increment Causes Crash"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-68699",
    "datePublished": "2026-02-04T19:25:12.716Z",
    "dateReserved": "2025-12-23T17:11:35.077Z",
    "dateUpdated": "2026-02-04T19:51:10.769Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-68699\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-02-04T20:16:03.910\",\"lastModified\":\"2026-02-20T21:20:09.270\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. In version 0.24.6, NanoMQ has a protocol parsing / forwarding inconsistency when handling shared subscriptions ($share/). A malformed SUBSCRIBE topic such as $share/ab (missing the second /) is not strictly validated during the subscription stage, so the invalid Topic Filter is stored into the subscription table. Later, when any PUBLISH matches this subscription, the broker send path (nmq_pipe_send_start_v4/v5) performs a second $share/ parsing using strchr() and increments the returned pointer without NULL checks. If the second strchr() returns NULL, sub_topic++ turns the pointer into an invalid address (e.g. 0x1). This invalid pointer is then passed into topic_filtern(), which triggers strlen() and crashes with SIGSEGV. The crash is stable and remotely triggerable. This issue has been patched in version 0.24.7.\"},{\"lang\":\"es\",\"value\":\"NanoMQ MQTT Broker (NanoMQ) es una Plataforma de Mensajer\u00eda de Borde integral. En la versi\u00f3n 0.24.6, NanoMQ presenta una inconsistencia en el an\u00e1lisis / reenv\u00edo de protocolos al manejar suscripciones compartidas ($share/). Un tema SUBSCRIBE malformado como $share/ab (falta la segunda /) no se valida estrictamente durante la etapa de suscripci\u00f3n, por lo que el Topic Filter inv\u00e1lido se almacena en la tabla de suscripciones. Posteriormente, cuando cualquier PUBLISH coincide con esta suscripci\u00f3n, la ruta de env\u00edo del broker (nmq_pipe_send_start_v4/v5) realiza un segundo an\u00e1lisis de $share/ usando strchr() e incrementa el puntero devuelto sin comprobaciones de NULL. Si el segundo strchr() devuelve NULL, sub_topic++ convierte el puntero en una direcci\u00f3n inv\u00e1lida (p. ej., 0x1). Este puntero inv\u00e1lido se pasa entonces a topic_filtern(), lo que activa strlen() y provoca un fallo con SIGSEGV. El fallo es estable y se puede activar remotamente. Este problema ha sido parcheado en la versi\u00f3n 0.24.7.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-476\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:emqx:nanomq:0.24.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"64B88C36-7B4D-4BD9-A237-65EFAC5DD520\"}]}]}],\"references\":[{\"url\":\"https://github.com/nanomq/nanomq/commit/89d68d678e7f841ae7baa45cba8d9bc7ddc9ef4b\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/nanomq/nanomq/security/advisories/GHSA-qv5f-c6v2-2f8h\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-68699\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-04T19:43:58.427047Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-04T19:45:06.581Z\"}}], \"cna\": {\"title\": \"NanoMQ $share/ Subscription Validation and Forwarding Parsing Inconsistency: NULL Pointer Increment Causes Crash\", \"source\": {\"advisory\": \"GHSA-qv5f-c6v2-2f8h\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"nanomq\", \"product\": \"nanomq\", \"versions\": [{\"status\": \"affected\", \"version\": \"= 0.24.6\"}]}], \"references\": [{\"url\": \"https://github.com/nanomq/nanomq/security/advisories/GHSA-qv5f-c6v2-2f8h\", \"name\": \"https://github.com/nanomq/nanomq/security/advisories/GHSA-qv5f-c6v2-2f8h\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/nanomq/nanomq/commit/89d68d678e7f841ae7baa45cba8d9bc7ddc9ef4b\", \"name\": \"https://github.com/nanomq/nanomq/commit/89d68d678e7f841ae7baa45cba8d9bc7ddc9ef4b\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. In version 0.24.6, NanoMQ has a protocol parsing / forwarding inconsistency when handling shared subscriptions ($share/). A malformed SUBSCRIBE topic such as $share/ab (missing the second /) is not strictly validated during the subscription stage, so the invalid Topic Filter is stored into the subscription table. Later, when any PUBLISH matches this subscription, the broker send path (nmq_pipe_send_start_v4/v5) performs a second $share/ parsing using strchr() and increments the returned pointer without NULL checks. If the second strchr() returns NULL, sub_topic++ turns the pointer into an invalid address (e.g. 0x1). This invalid pointer is then passed into topic_filtern(), which triggers strlen() and crashes with SIGSEGV. The crash is stable and remotely triggerable. This issue has been patched in version 0.24.7.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-476\", \"description\": \"CWE-476: NULL Pointer Dereference\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-02-04T19:25:12.716Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-68699\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-04T19:51:10.769Z\", \"dateReserved\": \"2025-12-23T17:11:35.077Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-02-04T19:25:12.716Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.