6.3

CVSS Score

4.0

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-10543

CVE-2025-10543: Eclipse Paho Go MQTT may incorrectly encode strings if length exceeds 65535 bytes

In Eclipse Paho Go MQTT v3.1 library (paho.mqtt.golang) versions <=1.5.0 UTF-8 encoded strings, passed into the library, may be incorrectly encoded if their length exceeds 65535 bytes. This may lead to unexpected content in packets sent to the server (for example, part of an MQTT topic may leak into the message body in a PUBLISH packet).

The issue arises because the length of the data passed in was converted from an int64/int32 (depending upon CPU) to an int16 without checks for overflows. The int16 length was then written, followed by the data (e.g. topic). This meant that when the data (e.g. topic) was over 65535 bytes then the amount of data written exceeds what the length field indicates. This could lead to a corrupt packet, or mean that the excess data leaks into another field (e.g. topic leaks into message body).

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-10543

CVE-2025-10543:

6.3

CVSS Score

4.0

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/eclipse/paho.mqtt.golang	go	< 1.5.1	1.5.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability, identified as CVE-2025-10543, is a numeric truncation error (CWE-197) within the eclipse/paho.mqtt.golang library. When an application uses this library to send an MQTT packet containing a string field (like a topic or client ID) longer than 65,535 bytes, the packet is improperly encoded. The root cause was identified by analyzing the patch provided in pull request #714, specifically commit 3162447fa892038e82256e918b681dc0c63a21ff. The changes in packets/packets.go pinpoint the packets.encodeBytes function as the source of the vulnerability. Before the patch, this function would calculate a 16-bit length for the data, which would truncate if the data was longer than 65,535 bytes. However, it would then write the full, untruncated data to the wire. The fix involves adding a check to truncate the data to 65,535 bytes if it exceeds this length, ensuring the encoded length matches the actual data length. Therefore, during exploitation, the packets.encodeBytes function would be present in any runtime profile or stack trace when a malicious, oversized string is being processed to create an MQTT packet.

Vulnerable functions

packets.encodeBytes

packets/packets.go

The function is vulnerable to a numeric truncation error. It casts the length of the input byte slice to a `uint16` without validating if the length exceeds the 65535 limit. This truncated length is then written to the byte stream, followed by the complete, untruncated byte slice. This discrepancy causes the excess bytes to overflow into the next field of the MQTT packet, leading to data corruption and potential information disclosure.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-10543: Eclipse Paho Go MQTT may incorrectly encode strings if length exceeds 65535 bytes

CVE-2025-10543:

6.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

CVE-2025-10543: Eclipse Paho Go MQTT may incorrectly encode strings if length exceeds 65535 bytes

Technical Details

6.3

6.3

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI