ZeroMQ
ZeroMQ (libzmq) is a high-performance asynchronous messaging library used as a direct dependency of Jupyter kernels, making it relevant to AI and data science deployment environments. NVD tracks it as zeromq:libzmq. CVE history includes a critical RCE via stack overflow in SUBSCRIBE message handling and denial-of-service vulnerabilities in the ZMTP protocol handler.
Querying ZeroMQ
zeromq4.3.5, 4.3.2, 4.2.5curl "https://api.attestd.io/v1/check?product=zeromq&version=4.3.1" \
-H "Authorization: Bearer $ATTESTD_KEY"libzmq 4.3.1 is affected by CVE-2019-13132 (stack overflow RCE). Expect risk_state: "critical".
{
"product": "zeromq",
"version": "4.3.1",
"supported": true,
"risk_state": "critical",
"risk_factors": [
"remote_code_execution",
"no_authentication_required",
"patch_available"
],
"actively_exploited": false,
"remote_exploitable": true,
"authentication_required": false,
"patch_available": true,
"fixed_version": "4.3.2",
"confidence": 0.81,
"cve_ids": ["CVE-2019-13132"],
"last_updated": "2026-02-23T18:21:30Z"
}ZeroMQ 4.3.5 has no known relevant vulnerabilities at the time of the last synthesis run.
curl "https://api.attestd.io/v1/check?product=zeromq&version=4.3.5" \
-H "Authorization: Bearer $ATTESTD_KEY"CVE history
ZeroMQ CVEs cluster in protocol-level parsing: malformed multipart messages trigger stack overflows (CVE-2019-13132), and crafted ZMTP handshakes cause null pointer dereferences and memory leaks. These affect any service binding a ZMQ socket to a network-reachable address, including Jupyter kernels.
| CVE | Description | Affects | CVSS |
|---|---|---|---|
CVE-2019-13132 | Stack overflow in SUBSCRIBE message handling via crafted multi-part message allows remote code execution. | < 4.3.2 | 9.8 |
CVE-2020-15166 | Denial of service via crafted ZMTP v1 greeting message causing a null pointer dereference in the protocol handler. | < 4.3.3 | 7.5 |
CVE-2021-20234 | Memory leak via pipe message queue processing leading to unbounded memory growth and denial of service. | < 4.3.4 | 7.5 |