Eclipse Mosquitto 1.4.12

Primary tabs


  • Fix CVE-2017-7650, which allows clients with username or client id set to '#' or '+' to bypass pattern based ACLs or third party plugins. The fix denies message sending or receiving of messages for clients with a '#' or '+' in their username or client id and if the message is subject to a pattern ACL check or plugin check.

Patches for other versions are available at


  • Fix mosquitto.db from becoming corrupted due to client messages being persisted with no stored message. Closes #424.
  • Fix bridge not restarting properly. Closes #428.
  • Fix unitialized memory in gets_quiet on Windows. Closes #426.
  • Fix building with WITH_ADNS=no for systems that don't use glibc. Closes #415.
  • Fixes to
  • Fix deprecation warning for OpenSSL 1.1. PR #416.
  • Don't segfault on duplicate bridge names. Closes #446.
  • Fix CVE-2017-7650.
Release Date: 
Monday, May 29, 2017
Release Type: 
Service release (bug fixes only)