CNNVD-202511-490 Information
CNNVD ID
CNNVD-202511-490
Related CVE
- CNNVD Published: 2025-11-06
Description (Chinese)
MQTT(Message Queuing Telemetry Transport,消息队列遥测传输)是一个ISO 标准(ISO/IEC PRF 20922)下基于发布 (Publish)/订阅 (Subscribe)范式的消息协议,它工作在TCP/IP协议族上,是为硬件性能低下的远程设备以及网络状况不好的情况下而设计的发布/订阅型消息协议。 MQTT存在安全漏洞,该漏洞源于默认情况下缺少主机名验证,可能导致中间人攻击。
Description (English)
MQTT (Message Quaing Telemetry Transmission, Message Line Telemetry Transmission) is an ISO standard (ISO/IEC PRF 20922)-based publishing/subscribe-based message protocol that works on the TCP/IP protocol community and is designed to release/subscribe messages in case of poor hardware performance and network conditions. MQTT had a security loophole, which stemmed from the default lack of host name verification, which could lead to an attack by an intermediary.
Hazard Level
Medium
Vulnerability Type
其他
Affected Vendor
个人开发者
Published
2025-11-06
Last Modified
2026-02-24
References
https://access.redhat.com/security/cve/CVE-2025-12790 https://bugzilla.redhat.com/show_bug.cgi?id=2413004 https://github.com/njh/ruby-mqtt/blob/main/NEWS.md#ruby-mqtt-version-070-2025-10-29
Patch
https://www.rubydoc.info/gems/mqtt
Share on: