Versions of `mqtt-packet` prior to 3.4.6, or 4.x prior to 4.0.5 are affected by a denial of service vulnerability wherein specific sequences of MQTT packets can crash the application.

## Recommendation

Version 3.x: Update to version 3.4.6 or later.
Version 4.x: Update to version 4.0.5 or later.

Affected Packages

npm mqtt-packet

Affected versions: 0 (fixed in 3.4.6)

npm mqtt-packet

Affected versions: 4.0.0 (fixed in 4.0.5)

Related CVEs

CVE-2016-10523

Key Information

GHSA ID

GHSA-g3r2-65gc-qpqc

Published

February 18, 2019 11:38 PM

Last Modified

January 8, 2021 6:50 PM

CVSS Score

7.5 /10

Primary Ecosystem

npm

Primary Package

mqtt-packet

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 3, 2025 6:26 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.