CVE-2023-5632: 
NixOS vulnerability analysis and mitigation

In Eclipse Mosquito before and including 2.0.5, a denial of service vulnerability was discovered where establishing a connection to the mosquitto server without sending data causes the EPOLLOUT event to be added, resulting in excessive CPU consumption. The vulnerability was assigned CVE-2023-5632 and was fixed in version 2.0.6 (NVD).

The vulnerability stems from a design flaw where establishing a connection to the server without sending any data causes the EPOLLOUT event to be continuously added. This results in the server executing the main loop without pausing, as epoll_wait gets the EPOLLOUT event repeatedly. The issue was confirmed to cause CPU usage to spike to 100% when exploited (GitHub PR). The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

The primary impact of this vulnerability is denial of service through resource exhaustion. When exploited, it causes the affected Mosquitto server to consume excessive CPU resources, potentially rendering the service unavailable to legitimate users (NVD).

The vulnerability has been fixed in Eclipse Mosquitto version 2.0.6. Users are advised to upgrade to this version or later to address the issue. The fix involves modifying how the EPOLLOUT event is handled to prevent the continuous loop execution (GitHub Commit).