{"id":"CVE-2019-12951","details":"An issue was discovered in Mongoose before 6.15. The parse_mqtt() function in mg_mqtt.c has a critical heap-based buffer overflow.","modified":"2026-04-11T08:55:51.169256Z","published":"2019-06-24T23:15:12.210Z","references":[{"type":"ADVISORY","url":"https://github.com/cesanta/mongoose/releases/tag/6.15"},{"type":"FIX","url":"https://github.com/cesanta/mongoose/commit/b3e0f780c34cea88f057a62213c012aa88fe2deb"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/cesanta/mongoose","events":[{"introduced":"0"},{"fixed":"d5beb7ba3f3767891f3d85945d7d33c1d8596e37"},{"fixed":"b3e0f780c34cea88f057a62213c012aa88fe2deb"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"6.15"}]}}],"versions":["3.2","3.3","3.4","3.5","3.6","3.7","3.8","4.0","4.1","5.0","5.1","5.2","5.3","5.4","5.5","5.5_20140120","5.6","6.0","6.1","6.10","6.11","6.12","6.13","6.14","6.2","6.3","6.4","6.5","6.6","6.7","6.9"],"database_specific":{"vanir_signatures":[{"signature_type":"Function","digest":{"function_hash":"198169568359688866823416702201207463449","length":3484},"id":"CVE-2019-12951-02b35968","deprecated":false,"target":{"function":"parse_mqtt","file":"src/mg_mqtt.c"},"source":"https://github.com/cesanta/mongoose/commit/b3e0f780c34cea88f057a62213c012aa88fe2deb","signature_version":"v1"},{"signature_type":"Line","digest":{"line_hashes":["318451959179559600212943761384714751553","203506875419145949752113475847773794541","300124475507211204145507290533671466820","99989783270940607929970042812623215153","113964899949487998914705191903055108661","220909073243904259200325940333054122391","181963326070752889268247635560144729332","194616825067426885033132069526593454473","32297059813226418094209480233904743941","158743914063726245224935765878676000180","242058701329965836886413194556142218028","202685874918949681063835384083901977148","298896519032976953735511227272721233568","234203154594107864103826915773165607850","156914595055367849120805501920246572284","316546846396089965587538649279488520373","115818615017429595644330698564950237276","212090324586127216818259759998632085017","280321884277974389504920536560302828502"],"threshold":0.9},"id":"CVE-2019-12951-a154c9ac","deprecated":false,"target":{"file":"mongoose.c"},"source":"https://github.com/cesanta/mongoose/commit/b3e0f780c34cea88f057a62213c012aa88fe2deb","signature_version":"v1"},{"signature_type":"Function","digest":{"function_hash":"198169568359688866823416702201207463449","length":3484},"id":"CVE-2019-12951-b0b505de","deprecated":false,"target":{"function":"parse_mqtt","file":"mongoose.c"},"source":"https://github.com/cesanta/mongoose/commit/b3e0f780c34cea88f057a62213c012aa88fe2deb","signature_version":"v1"},{"signature_type":"Line","digest":{"line_hashes":["318451959179559600212943761384714751553","203506875419145949752113475847773794541","300124475507211204145507290533671466820","99989783270940607929970042812623215153","113964899949487998914705191903055108661","220909073243904259200325940333054122391","181963326070752889268247635560144729332","194616825067426885033132069526593454473","32297059813226418094209480233904743941","158743914063726245224935765878676000180","242058701329965836886413194556142218028","202685874918949681063835384083901977148","298896519032976953735511227272721233568","234203154594107864103826915773165607850","156914595055367849120805501920246572284","316546846396089965587538649279488520373","115818615017429595644330698564950237276","212090324586127216818259759998632085017","280321884277974389504920536560302828502"],"threshold":0.9},"id":"CVE-2019-12951-b1da9acb","deprecated":false,"target":{"file":"src/mg_mqtt.c"},"source":"https://github.com/cesanta/mongoose/commit/b3e0f780c34cea88f057a62213c012aa88fe2deb","signature_version":"v1"}],"vanir_signatures_modified":"2026-04-11T08:55:51Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-12951.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}