{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-68699", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-12-23T17:11:35.077Z", "datePublished": "2026-02-04T19:25:12.716Z", "dateUpdated": "2026-02-04T19:51:10.769Z"}, "containers": {"cna": {"title": "NanoMQ $share/ Subscription Validation and Forwarding Parsing Inconsistency: NULL Pointer Increment Causes Crash", "problemTypes": [{"descriptions": [{"cweId": "CWE-476", "lang": "en", "description": "CWE-476: NULL Pointer Dereference", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/nanomq/nanomq/security/advisories/GHSA-qv5f-c6v2-2f8h", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nanomq/nanomq/security/advisories/GHSA-qv5f-c6v2-2f8h"}, {"name": "https://github.com/nanomq/nanomq/commit/89d68d678e7f841ae7baa45cba8d9bc7ddc9ef4b", "tags": ["x_refsource_MISC"], "url": "https://github.com/nanomq/nanomq/commit/89d68d678e7f841ae7baa45cba8d9bc7ddc9ef4b"}], "affected": [{"vendor": "nanomq", "product": "nanomq", "versions": [{"version": "= 0.24.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-04T19:25:12.716Z"}, "descriptions": [{"lang": "en", "value": "NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. In version 0.24.6, NanoMQ has a protocol parsing / forwarding inconsistency when handling shared subscriptions ($share/). A malformed SUBSCRIBE topic such as $share/ab (missing the second /) is not strictly validated during the subscription stage, so the invalid Topic Filter is stored into the subscription table. Later, when any PUBLISH matches this subscription, the broker send path (nmq_pipe_send_start_v4/v5) performs a second $share/ parsing using strchr() and increments the returned pointer without NULL checks. If the second strchr() returns NULL, sub_topic++ turns the pointer into an invalid address (e.g. 0x1). This invalid pointer is then passed into topic_filtern(), which triggers strlen() and crashes with SIGSEGV. The crash is stable and remotely triggerable. This issue has been patched in version 0.24.7."}], "source": {"advisory": "GHSA-qv5f-c6v2-2f8h", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-04T19:43:58.427047Z", "id": "CVE-2025-68699", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T19:51:10.769Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-68699", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-04T19:43:58.427047Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T19:45:06.581Z"}}], "cna": {"title": "NanoMQ $share/ Subscription Validation and Forwarding Parsing Inconsistency: NULL Pointer Increment Causes Crash", "source": {"advisory": "GHSA-qv5f-c6v2-2f8h", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "nanomq", "product": "nanomq", "versions": [{"status": "affected", "version": "= 0.24.6"}]}], "references": [{"url": "https://github.com/nanomq/nanomq/security/advisories/GHSA-qv5f-c6v2-2f8h", "name": "https://github.com/nanomq/nanomq/security/advisories/GHSA-qv5f-c6v2-2f8h", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/nanomq/nanomq/commit/89d68d678e7f841ae7baa45cba8d9bc7ddc9ef4b", "name": "https://github.com/nanomq/nanomq/commit/89d68d678e7f841ae7baa45cba8d9bc7ddc9ef4b", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. In version 0.24.6, NanoMQ has a protocol parsing / forwarding inconsistency when handling shared subscriptions ($share/). A malformed SUBSCRIBE topic such as $share/ab (missing the second /) is not strictly validated during the subscription stage, so the invalid Topic Filter is stored into the subscription table. Later, when any PUBLISH matches this subscription, the broker send path (nmq_pipe_send_start_v4/v5) performs a second $share/ parsing using strchr() and increments the returned pointer without NULL checks. If the second strchr() returns NULL, sub_topic++ turns the pointer into an invalid address (e.g. 0x1). This invalid pointer is then passed into topic_filtern(), which triggers strlen() and crashes with SIGSEGV. The crash is stable and remotely triggerable. This issue has been patched in version 0.24.7."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-476", "description": "CWE-476: NULL Pointer Dereference"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-04T19:25:12.716Z"}}}, "cveMetadata": {"cveId": "CVE-2025-68699", "state": "PUBLISHED", "dateUpdated": "2026-02-04T19:51:10.769Z", "dateReserved": "2025-12-23T17:11:35.077Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-04T19:25:12.716Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:emqx:nanomq:0.24.6:*:*:*:*:*:*:*", "matchCriteriaId": "64B88C36-7B4D-4BD9-A237-65EFAC5DD520", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. In version 0.24.6, NanoMQ has a protocol parsing / forwarding inconsistency when handling shared subscriptions ($share/). A malformed SUBSCRIBE topic such as $share/ab (missing the second /) is not strictly validated during the subscription stage, so the invalid Topic Filter is stored into the subscription table. Later, when any PUBLISH matches this subscription, the broker send path (nmq_pipe_send_start_v4/v5) performs a second $share/ parsing using strchr() and increments the returned pointer without NULL checks. If the second strchr() returns NULL, sub_topic++ turns the pointer into an invalid address (e.g. 0x1). This invalid pointer is then passed into topic_filtern(), which triggers strlen() and crashes with SIGSEGV. The crash is stable and remotely triggerable. This issue has been patched in version 0.24.7."}, {"lang": "es", "value": "NanoMQ MQTT Broker (NanoMQ) es una Plataforma de Mensajer\u00eda de Borde integral. En la versi\u00f3n 0.24.6, NanoMQ presenta una inconsistencia en el an\u00e1lisis / reenv\u00edo de protocolos al manejar suscripciones compartidas ($share/). Un tema SUBSCRIBE malformado como $share/ab (falta la segunda /) no se valida estrictamente durante la etapa de suscripci\u00f3n, por lo que el Topic Filter inv\u00e1lido se almacena en la tabla de suscripciones. Posteriormente, cuando cualquier PUBLISH coincide con esta suscripci\u00f3n, la ruta de env\u00edo del broker (nmq_pipe_send_start_v4/v5) realiza un segundo an\u00e1lisis de $share/ usando strchr() e incrementa el puntero devuelto sin comprobaciones de NULL. Si el segundo strchr() devuelve NULL, sub_topic++ convierte el puntero en una direcci\u00f3n inv\u00e1lida (p. ej., 0x1). Este puntero inv\u00e1lido se pasa entonces a topic_filtern(), lo que activa strlen() y provoca un fallo con SIGSEGV. El fallo es estable y se puede activar remotamente. Este problema ha sido parcheado en la versi\u00f3n 0.24.7."}], "id": "CVE-2025-68699", "lastModified": "2026-02-20T21:20:09.270", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-04T20:16:03.910", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/nanomq/nanomq/commit/89d68d678e7f841ae7baa45cba8d9bc7ddc9ef4b"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/nanomq/nanomq/security/advisories/GHSA-qv5f-c6v2-2f8h"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"created": "2026-02-05T11:39:47.982525+00:00", "updated": "2026-02-05T11:39:47.982561+00:00", "vendors": ["emqx", "emqx$PRODUCT$nanomq"]}