Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS13aHhyLTNwODQtcmYzY84ABHkX

Moderate CVSS: 6.9 EPSS: 0.00489% (0.64493 Percentile) EPSS:
Permalink JSON

Apache ActiveMQ: Unchecked buffer length can cause excessive memory allocation

Affected Packages Affected Versions Fixed Versions
maven:org.apache.activemq:activemq-client >= 6.0.0, < 6.1.6, >= 5.18.0, < 5.18.7, >= 5.17.0, < 5.17.7, < 5.16.8 6.1.6, 5.18.7, 5.17.7, 5.16.8
410 Dependent packages
6,414 Dependent repositories

Affected Version Ranges

All affected versions

5.8.0, 5.9.0, 5.9.1, 5.10.0, 5.10.1, 5.10.2, 5.11.0, 5.11.1, 5.11.2, 5.11.3, 5.11.4, 5.12.0, 5.12.1, 5.12.2, 5.12.3, 5.13.0, 5.13.1, 5.13.2, 5.13.3, 5.13.4, 5.13.5, 5.14.0, 5.14.1, 5.14.2, 5.14.3, 5.14.4, 5.14.5, 5.15.0, 5.15.1, 5.15.2, 5.15.3, 5.15.4, 5.15.5, 5.15.6, 5.15.7, 5.15.8, 5.15.9, 5.15.10, 5.15.11, 5.15.12, 5.15.13, 5.15.14, 5.15.15, 5.15.16, 5.16.0, 5.16.1, 5.16.2, 5.16.3, 5.16.4, 5.16.5, 5.16.6, 5.16.7, 5.17.0, 5.17.1, 5.17.2, 5.17.3, 5.17.4, 5.17.5, 5.17.6, 5.18.0, 5.18.1, 5.18.2, 5.18.3, 5.18.4, 5.18.5, 5.18.6, 6.0.0, 6.0.1, 6.1.0, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5

All unaffected versions

5.16.8, 5.17.7, 5.18.7, 5.19.0, 6.1.6, 6.1.7
maven:org.apache.activemq:activemq-openwire-legacy >= 6.0.0, < 6.1.6, >= 5.18.0, < 5.18.7, >= 5.17.0, < 5.17.7, < 5.16.8 6.1.6, 5.18.7, 5.17.7, 5.16.8
78 Dependent packages
1,729 Dependent repositories

Affected Version Ranges

All affected versions

5.8.0, 5.9.0, 5.9.1, 5.10.0, 5.10.1, 5.10.2, 5.11.0, 5.11.1, 5.11.2, 5.11.3, 5.11.4, 5.12.0, 5.12.1, 5.12.2, 5.12.3, 5.13.0, 5.13.1, 5.13.2, 5.13.3, 5.13.4, 5.13.5, 5.14.0, 5.14.1, 5.14.2, 5.14.3, 5.14.4, 5.14.5, 5.15.0, 5.15.1, 5.15.2, 5.15.3, 5.15.4, 5.15.5, 5.15.6, 5.15.7, 5.15.8, 5.15.9, 5.15.10, 5.15.11, 5.15.12, 5.15.13, 5.15.14, 5.15.15, 5.15.16, 5.16.0, 5.16.1, 5.16.2, 5.16.3, 5.16.4, 5.16.5, 5.16.6, 5.16.7, 5.17.0, 5.17.1, 5.17.2, 5.17.3, 5.17.4, 5.17.5, 5.17.6, 5.18.0, 5.18.1, 5.18.2, 5.18.3, 5.18.4, 5.18.5, 5.18.6, 6.0.0, 6.0.1, 6.1.0, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5

All unaffected versions

5.16.8, 5.17.7, 5.18.7, 5.19.0, 6.1.6, 6.1.7

Memory Allocation with Excessive Size Value vulnerability in Apache ActiveMQ.

During unmarshalling of OpenWire commands the size value of buffers was not properly validated which could lead to excessive memory allocation and be exploited to cause a denial of service (DoS) by depleting process memory, thereby affecting applications and services that rely on the availability of the ActiveMQ broker when not using mutual TLS connections.
This issue affects Apache ActiveMQ: from 6.0.0 before 6.1.6, from 5.18.0 before 5.18.7, from 5.17.0 before 5.17.7, before 5.16.8. ActiveMQ 5.19.0 is not affected.

Users are recommended to upgrade to version 6.1.6+, 5.19.0+, 5.18.7+, 5.17.7, or 5.16.8 or which fixes the issue.

Existing users may implement mutual TLS to mitigate the risk on affected brokers.

References:

Identifiers

GHSA-whxr-3p84-rf3c

CVE-2025-27533

Risk

Severity

Moderate

CVSS

CVSS Score: 6.9

CVSS vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/AU:Y/R:A/V:D/RE:M/U:Red

EPSS

EPSS Percentage: 0.00489

EPSS Percentile: 0.64493

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/apache/activemq

Date and time

Published

3 months ago

Updated

14 days ago

API

JSON