CVE-2025-10543

MEDIUM

Eclipse Paho Go MQTT v3.1 <=1.5.0 - Buffer Overflow

Title source: llm

Description

In Eclipse Paho Go MQTT v3.1 library (paho.mqtt.golang) versions <=1.5.0 UTF-8 encoded strings, passed into the library, may be incorrectly encoded if their length exceeds 65535 bytes. This may lead to unexpected content in packets sent to the server (for example, part of an MQTT topic may leak into the message body in a PUBLISH packet). The issue arises because the length of the data passed in was converted from an int64/int32 (depending upon CPU) to an int16 without checks for overflows. The int16 length was then written, followed by the data (e.g. topic). This meant that when the data (e.g. topic) was over 65535 bytes then the amount of data written exceeds what the length field indicates. This could lead to a corrupt packet, or mean that the excess data leaks into another field (e.g. topic leaks into message body).

References (1)

[Issue Tracking, Vendor Advisory] https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/254

Scores

CVSS v3 5.3

EPSS 0.0004

EPSS Percentile 10.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-681 CWE-197

Status published

Products (2)

eclipse/paho.mqtt.golang 0 - 1.5.1Go

eclipse/paho_mqtt < 1.5.0

Published Dec 02, 2025

Tracked Since Feb 18, 2026