Summary
We are disclosing CVE-2024-45038, a denial of serivce vulnerability in MQTT handling, fixed in version 2.4.1 of the Meshtastic firmware and on the Meshtastic public MQTT Broker. It's strongly suggested that all users of Meshtastic, particularly those that connect to a privately hosted MQTT server, update to this or a more recent stable version right away.
After users have had a chance to update their devices we will make the actual proof of concept available
brloomis Reporter
thebentern Remediation developer
garthvh Coordinator
jp-bennett Coordinator
Summary
We are disclosing CVE-2024-45038, a denial of serivce vulnerability in MQTT handling, fixed in version 2.4.1 of the Meshtastic firmware and on the Meshtastic public MQTT Broker. It's strongly suggested that all users of Meshtastic, particularly those that connect to a privately hosted MQTT server, update to this or a more recent stable version right away.
After users have had a chance to update their devices we will make the actual proof of concept available