MQTT does not validate hostnames
Published: November 06, 2025
SECURITY IDENTIFIERS
- CVE: CVE-2025-12790 (NVD)
- GHSA: GHSA-9c5q-w6gr-fxcq
- Vendor Advisory: https://access.redhat.com/security/cve/CVE-2025-12790
GEM
SEVERITY
CVSS v3.x: 7.4 (High)
PATCHED VERSIONS
>= 0.7.0
DESCRIPTION
A flaw was found in Rubygem MQTT. By default, the package used to not have hostname validation, resulting in possible Man-in-the-Middle (MITM) attack.
RELATED
- https://nvd.nist.gov/vuln/detail/CVE-2025-12790
- https://github.com/njh/ruby-mqtt/releases/tag/v0.7.0
- https://github.com/njh/ruby-mqtt/blob/main/NEWS.md#ruby-mqtt-version-070-2025-10-29
- https://access.redhat.com/security/cve/CVE-2025-12790
- https://bugzilla.redhat.com/show_bug.cgi?id=2413004
- https://github.com/advisories/GHSA-9c5q-w6gr-fxcq