CVE-2024-3935: 
NixOS vulnerability analysis and mitigation

In Eclipse Mosquito, versions from 2.0.0 through 2.0.18, a vulnerability exists when a Mosquitto broker is configured to create an outgoing bridge connection with an incoming topic that uses topic remapping. The vulnerability was discovered by songxiangpu from the School of Cyber Science and Technology at Shandong University and was patched in version 2.0.19 released on October 2, 2024 (Eclipse Blog, NVD).

The vulnerability is classified as a double free vulnerability (CWE-415). When a remote connection sends a crafted PUBLISH packet to the broker, a double free condition occurs, leading to a subsequent crash of the broker. The vulnerability has been assigned a CVSS v4.0 score of 6.0 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N and a CVSS v3.1 score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

When successfully exploited, this vulnerability results in a crash of the Mosquitto broker, effectively causing a denial of service condition. The vulnerability specifically affects bridge mode operations where topic remapping is in use (Eclipse Blog).

The vulnerability has been fixed in Mosquitto version 2.0.19. Users are advised to upgrade to this version or later to address the security issue. The fix was implemented through a patch that addresses the double free condition in the bridge topic handling code (Eclipse Blog, GitHub Patch).