{“lastseen”:”2026-01-06T09:31:36″,”description”:”Curl’s MQTT implementation accepts any valid Remaining Length advertised by the server without an explicit upper bound (beyond the MQTT spec maximum of 268,435,455 bytes). A malicious server can send a PUBLISH packet claiming this maximum size but provide only minimal payload, causing curl to wait indefinitely for the remaining data.\\n\\nThis is a low-severity client-side DoS (hang), mitigated by –max-time and –max-filesize. No memory exhaustion occurs as data is processed in small buffered chunks.\\n\\n##Affected Code:\\n`lib\/mqtt.c` (around line 737)\\n“`c\\ndata-\\u003ereq.size = remlen;\\nmq-\\u003enpacket = remlen;\\n“`\\n\\n##Proof of Concept:\\n\\nA Malicious MQTT Server Sends a Publish Packet With an Excessive Remaining Length\\nAlthough labeled as 0xFF FF FF 7F, which equals 268,435,455 bytes, the system transmits just several bytes. This discrepancy occurs despite the initial size declaration. From time to time, actual data volume stays minimal. Size indications do not always reflect transmitted content. What appears large may carry little information.\\n\\nCurl accepts the stated Remaining Length without verification, adjusting its expectations accordingly; only when communication ends or time expires does it respond. Though designed to follow protocol, reliance on external signals leaves room for unintended behavior under edge conditions.\\n\\nAttached screenshots show:\\n- From beyond, the harmful server transmits an exaggerated Remaining Length\\n- Logs from curl show remaining data volume: 268435455 bytes\\n\\n## Impact\\n\\n- Low severity \/ protocol hardening issue\\n- No crash\\n- No memory corruption\\n- No excessive memory allocation\\n- A malicious server can cause curl to wait for a very large transfer\\n- Partially mitigated by existing options such as –max-time and –max-filesize\\n\\n##Recommended Hardening:\\nApply the same MAX_MQTT_MESSAGE_SIZE limit to incoming packets as is already used for outgoing packets.\\n“`c\\nif(remlen \\u003e MAX_MQTT_MESSAGE_SIZE) {\\n failf(data, \\”MQTT message too large (%zu bytes, max %d)\\”,\\n remlen, MAX_MQTT_MESSAGE_SIZE);\\n result = CURLE_WEIRD_SERVER_REPLY;\\n goto end;\\n}\\n“`”,”published”:”2026-01-06T08:51:16″,”modified”:”2026-01-06T08:55:50″,”type”:”hackerone”,”title”:”curl: MQTT: Missing upper bound on incoming Remaining Length allows server-controlled long wait”,”source”:””,”references”:””,”id”:”H1:3488278″,”bulletinFamily”:”bugbounty”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/hackerone.com\/reports\/3488278″,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-01-06T09:31:36″,”description”:”Curl’s MQTT implementation accepts any valid Remaining Length advertised by the server without an explicit upper bound (beyond the MQTT spec maximum of 268,435,455 bytes)….<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,117,13,33,7,11,5],"class_list":["post-34346","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-hackerone","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n