Versions of mqtt-packet prior to 3.4.6, or 4.x prior to 4.0.5 are affected by a denial of service vulnerability wherein specific sequences of MQTT packets can crash the application.

Recommendation

Version 3.x: Update to version 3.4.6 or later.
Version 4.x: Update to version 4.0.5 or later.

References

• https://nvd.nist.gov/vuln/detail/CVE-2016-10523
• moscajs/mosca#393
• mqttjs/mqtt-packet#8
• GHSA-g3r2-65gc-qpqc
• https://www.npmjs.com/advisories/75