CVE-2025-62723

MEDIUM

Flashmq < 1.23.2 - Resource Leak

Title source: rule

Description

FlashMQ is a MQTT broker/server, designed for multi-CPU environments. Prior to version 1.23.2, any authenticated user can create sessions and have them collect QoS messages. When not sent to a client, these are then not released upon (eventual) session expiration. Version 1.23.2 fixes the issue.

References (3)

[Patch, Vendor Advisory] https://github.com/halfgaar/FlashMQ/security/advisories/GHSA-7mhp-22q4-r6vv

[Patch] https://github.com/halfgaar/FlashMQ/commit/e86c49360ef4387440c97f591770cdb9284b4ee9

View Patch ZIP pw:eip

[Issue Tracking] https://github.com/halfgaar/FlashMQ/issues/154

Scores

CVSS v3 4.3

EPSS 0.0006

EPSS Percentile 17.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-772

Status published

Products (1)

flashmq/flashmq < 1.23.2

Published Oct 24, 2025

Tracked Since Feb 18, 2026