CVE-2025-62723
MEDIUMFlashMQ < 1.23.2 - Authenticated Resource Exhaustion via Unreleased QoS Message Sessions
Title source: llmDescription
FlashMQ is a MQTT broker/server, designed for multi-CPU environments. Prior to version 1.23.2, any authenticated user can create sessions and have them collect QoS messages. When not sent to a client, these are then not released upon (eventual) session expiration. Version 1.23.2 fixes the issue.
References (3)
Core 3
Core References
Patch, Vendor Advisory x_refsource_confirm
https://github.com/halfgaar/FlashMQ/security/advisories/GHSA-7mhp-22q4-r6vv
Patch x_refsource_misc
https://github.com/halfgaar/FlashMQ/commit/e86c49360ef4387440c97f591770cdb9284b4ee9
Issue Tracking x_refsource_misc
https://github.com/halfgaar/FlashMQ/issues/154
Scores
CVSS v3
4.3
EPSS
0.0028
EPSS Percentile
19.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-772
Status
published
Products (1)
flashmq/flashmq
< 1.23.2
Published
Oct 24, 2025
Tracked Since
Feb 18, 2026