CVE-2024-3935

Name: CVE-2024-3935
Creator: NVD / NIST
Published: 2024-10-30T12:15:03.09+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 6/10EPSS 0.76%

Last modified Jun 17, 2026

CVE-2024-3935 is a medium-severity vulnerability rated 6/10 on the CVSS scale. In Eclipse Mosquito, versions from 2.0.0 through 2.0.18, if a Mosquitto broker is configured to create an outgoing bridge connection, and that bridge connection has an incoming topic configured that makes use of topic remapping, then if the remote connection sends a crafted PUBLISH packet to the broker a double free will occur with a subsequent crash of the broker.. EPSS estimates a 0.76% chance of exploitation in the next 30 days.

Description

In Eclipse Mosquito, versions from 2.0.0 through 2.0.18, if a Mosquitto broker is configured to create an outgoing bridge connection, and that bridge connection has an incoming topic configured that makes use of topic remapping, then if the remote connection sends a crafted PUBLISH packet to the broker a double free will occur with a subsequent crash of the broker.

Metrics

CVSS 3.1

6.5/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVSS 4.0

6/10

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

EPSS Probability

0.76%

50.6th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Eclipse	Mosquitto	>= 2.0.0, < 2.0.19

References

https://github.com/eclipse-mosquitto/mosquitto/commit/ae7a804dadac8f2aaedb24336df8496a9680fda9Patch
https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/197Exploit, Issue Tracking, Vendor Advisory
https://mosquitto.org/blog/2024/10/version-2-0-19-released/Release Notes
https://lists.debian.org/debian-lts-announce/2025/02/msg00022.html

Timeline

Published: Oct 30, 2024
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2024-3935?

How severe is CVE-2024-3935?

CVE-2024-3935 has a CVSS score of 6/10 (MEDIUM severity). The EPSS model estimates a 0.76% probability of exploitation in the next 30 days.

How do I fix CVE-2024-3935?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2024-3935?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST