CVE-2025-27533

moderate-risk

Published 2025-05-07

Memory Allocation with Excessive Size Value vulnerability in Apache ActiveMQ. During unmarshalling of OpenWire commands the size value of buffers was not properly validated which could lead to excessive memory allocation and be exploited to cause a denial of service (DoS) by depleting process memory, thereby affecting applications and services that rely on the availability of the ActiveMQ broker when not using mutual TLS connections. This issue affects Apache ActiveMQ: from 6.0.0 before 6.1.6, from 5.18.0 before 5.18.7, from 5.17.0 before 5.17.7, before 5.16.8. ActiveMQ 5.19.0 is not affected. Users are recommended to upgrade to version 6.1.6+, 5.19.0+, 5.18.7+, 5.17.7, or 5.16.8 or which fixes the issue. Existing users may implement mutual TLS to mitigate the risk on affected brokers.

Do I need to act?

2.3% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

1 public exploit available

52288

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

NETWORK / LOW complexity

Affected Products (1)

Activemq

Affected Vendors

Apache

References (3)

Mailing List https://lists.apache.org/thread/8hcm25vf7mchg4zbbhnlx2lc5bs705hg

Mailing List http://www.openwall.com/lists/oss-security/2025/05/06/1

https://lists.debian.org/debian-lts-announce/2025/06/msg00020.html

/ 100

moderate-risk

Severity 26/34 · High

Exploitability 5/34 · Minimal

Exposure 5/34 · Minimal