Anonymous persistent MQTT sessions retain client registry entries after disconnect

[skadiscarlet]

Summary

quickmsg/smqtt is affected by a denial-of-service issue in 18831. An unauthenticated or default-credential/default-token attacker can trigger unbounded memory growth or request-burst heap amplification and cause the target JVM to throw java.lang.OutOfMemoryError under a bounded heap in the reproduced default-style deployment.

Affected Project

Field	Value
Project	quickmsg/smqtt
Repository	https://github.com/quickmsg/smqtt
Local target id	quickmsg__smqtt
Candidate id	SMQTT-APP-STATIC-0001
Tested commit/snapshot	90c80b0c1cbd2caffe9e6028e7683b0a20a5b850
Dynamic validation phase	P1
Authentication requirement	Unauthenticated MQTT client
Suggested CVSS 3.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Technical Details

• Entry / trigger: MQTT CONNECT with attacker-controlled unique clientIdentifier and cleanSession=false, followed by DISCONNECT or TCP close
• Sink / retained resource: DefaultChannelRegistry.channelMap plus ConnectProtocol.close persistent-session branch that skips channelRegistry.close and topicRegistry.clear
• Default or effective bound assessment: MqttDecoder bounds a single frame to messageMaxSize 4194304, but clientIdentifier count is not capped; default authConfig is null and NoneAuthManager accepts all clients
• Reproduction shape: Repeatedly CONNECT with unique client identifiers and cleanSession=false, then disconnect or close the TCP connection without reusing the clientId.

Dynamic Evidence

Field	Value
Dynamic verdict	confirmed_oom
Status	verified_oom
OOM signal	java.lang.OutOfMemoryError
Requests sent	43706
Heap limit	96m
Endpoint / port	18831

Relevant process evidence from the validation record:

{
  "heap": "96m",
  "port": 18831,
  "cleanSession": false,
  "clientException": "TimeoutError('timed out')",
  "postProbePortOpen": true,
  "processExitCode": null,
  "aliveBeforeStop": true,
  "processStatus": {
    "VmHWM": "309036 kB",
    "VmRSS": "306736 kB",
    "Threads": "64"
  }
}

Source Evidence

• frameworks/applications/quickmsg__smqtt/README.md:216-220
• frameworks/applications/quickmsg__smqtt/smqtt-bootstrap/src/main/java/io/github/quickmsg/docker/DockerStarter.java:17-39
• frameworks/applications/quickmsg__smqtt/smqtt-common/src/main/java/io/github/quickmsg/common/config/BootstrapConfig.java:25-39
• frameworks/applications/quickmsg__smqtt/smqtt-core/src/main/java/io/github/quickmsg/core/auth/AuthManagerFactory.java:17-31
• frameworks/applications/quickmsg__smqtt/smqtt-core/src/main/java/io/github/quickmsg/core/auth/NoneAuthManager.java:8-12
• frameworks/applications/quickmsg__smqtt/smqtt-core/src/main/java/io/github/quickmsg/core/protocol/ConnectProtocol.java:96-112
• frameworks/applications/quickmsg__smqtt/smqtt-core/src/main/java/io/github/quickmsg/core/protocol/ConnectProtocol.java:146-150
• frameworks/applications/quickmsg__smqtt/smqtt-core/src/main/java/io/github/quickmsg/core/protocol/ConnectProtocol.java:190-194
• frameworks/applications/quickmsg__smqtt/smqtt-core/src/main/java/io/github/quickmsg/core/spi/DefaultChannelRegistry.java:23-42

Impact

A remote attacker can exhaust JVM heap or related in-process resource queues/maps using external requests. In the reproduced run, the target process emitted java.lang.OutOfMemoryError. Availability impact is high because normal service can become unavailable, time out, or require restart/recovery.

Suggested Remediation

• Add global and per-client limits for persistent sessions.
• Expire offline persistent session state after a bounded TTL.
• Require authentication by default or document anonymous mode as unsafe for exposed brokers.