CVE-2025-10543: CWE-681 Incorrect Conversion between Numeric Types in Eclipse Foundation paho.mqtt.golang (Go MQTT v3.1 library)
In Eclipse Paho Go MQTT v3.1 library (paho.mqtt.golang) versions <=1.5.0 UTF-8 encoded strings, passed into the library, may be incorrectly encoded if their length exceeds 65535 bytes. This may lead to unexpected content in packets sent to the server (for example, part of an MQTT topic may leak into the message body in a PUBLISH packet). The issue arises because the length of the data passed in was converted from an int64/int32 (depending upon CPU) to an int16 without checks for overflows. The int16 length was then written, followed by the data (e.g. topic). This meant that when the data (e.g. topic) was over 65535 bytes then the amount of data written exceeds what the length field indicates. This could lead to a corrupt packet, or mean that the excess data leaks into another field (e.g. topic leaks into message body).
CVE-2025-10543: CWE-681 Incorrect Conversion between Numeric Types in Eclipse Foundation paho.mqtt.golang (Go MQTT v3.1 library)
Description
In Eclipse Paho Go MQTT v3.1 library (paho.mqtt.golang) versions <=1.5.0 UTF-8 encoded strings, passed into the library, may be incorrectly encoded if their length exceeds 65535 bytes. This may lead to unexpected content in packets sent to the server (for example, part of an MQTT topic may leak into the message body in a PUBLISH packet). The issue arises because the length of the data passed in was converted from an int64/int32 (depending upon CPU) to an int16 without checks for overflows. The int16 length was then written, followed by the data (e.g. topic). This meant that when the data (e.g. topic) was over 65535 bytes then the amount of data written exceeds what the length field indicates. This could lead to a corrupt packet, or mean that the excess data leaks into another field (e.g. topic leaks into message body).
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- eclipse
- Date Reserved
- 2025-09-16T07:59:33.051Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 692ef09b5ae7112264d5b098
Added to database: 12/2/2025, 1:58:51 PM
Last updated: 12/2/2025, 1:58:58 PM
Views: 1
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2025-13295: CWE-201 Insertion of Sensitive Information Into Sent Data in Argus Technology Inc. BILGER
HighCVE-2025-65858: n/a
UnknownCVE-2025-13731: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in posimyththemes Nexter Extension – Site Enhancements Toolkit
MediumChrome, Edge Extensions Caught Tracking Users, Creating Backdoors
MediumCVE-2025-41086: CWE-639 Authorization Bypass Through User-Controlled Key in AMS Development Corp. GAMS
MediumActions
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.