Eclipse Mosquitto Security Audit Has Been Completed

We’re excited to announce that the Eclipse Foundation has successfully conducted a security audit for Eclipse Mosquitto, marking our fourth project audit this year. To enhance security, all Mosquitto users are urged to upgrade to the latest available version. All issues identified by the audit have been fixed in the source code.

An Eclipse IoT project, Eclipse Mosquitto provides a lightweight server implementation of the MQTT protocol that is suitable for all situations, from powerful servers to embedded and low power machines. Highly portable and compatible with numerous platforms, Mosquitto is a popular choice for embedded products.

Since the MQTT network could potentially be accessible to attackers, correct handling of messages in a broker and correct cryptographic operations are important to the security of the entire network.

The audit revealed a few issues in the password implementation and Dynamic Security plugin. This shows that independent review can be useful for all projects, even mature ones.

This open source project security audit was completed by Trail of Bits, an independent auditor. Like our previous three audits, this initiative was done in collaboration with the Open Source Technology Improvement Fund (OSTIF) and was made possible thanks to the funding the Foundation received from the Alpha-Omega Project. 

Get Involved

• Download Eclipse Mosquitto, learn how you can contribute to the project, and review their security page.
• Learn more about the Eclipse Cyber Risk Initiative, and how your organization can join the effort to strengthen the open source supply chain. Please subscribe to the ECRI mailing list to join the initiative, or to follow its progress.