Eclipse Mosquitto Security Audit Has Been Completed

We’re excited to announce that the Eclipse Foundation has successfully conducted a security audit for Eclipse Mosquitto, marking our fourth project audit this year. To enhance security, all Mosquitto users are urged to upgrade to the latest available version. All issues identified by the audit have been fixed in the source code.

An Eclipse IoT project, Eclipse Mosquitto provides a lightweight server implementation of the MQTT protocol that is suitable for all situations, from powerful servers to embedded and low power machines. Highly portable and compatible with numerous platforms, Mosquitto is a popular choice for embedded products.

>>Threat Model
Threat Model

Since the MQTT network could potentially be accessible to attackers, correct handling of messages in a broker and correct cryptographic operations are important to the security of the entire network.

The audit revealed a few issues in the password implementation and Dynamic Security plugin. This shows that independent review can be useful for all projects, even mature ones.

>>Full Report
Full Report

This open source project security audit was completed by Trail of Bits, an independent auditor. Like our previous three audits, this initiative was done in collaboration with the Open Source Technology Improvement Fund (OSTIF) and was made possible thanks to the funding the Foundation received from the Alpha-Omega Project. 

Get Involved