CVE-2025-29953 in ActiveMQ NMS OpenWire Clientinfo

Zusammenfassung

von MITRE • 18.04.2025

Deserialization of Untrusted Data vulnerability in Apache ActiveMQ NMS OpenWire Client.

This issue affects Apache ActiveMQ NMS OpenWire Client before 2.1.1 when performing connections to untrusted servers. Such servers could abuse the unbounded deserialization in the client to provide malicious responses that may eventually cause arbitrary code execution on the client. Version 2.1.0 introduced a allow/denylist feature to restrict deserialization, but this feature could be bypassed.

The .NET team has deprecated the built-in .NET binary serialization feature starting with .NET 9 and suggests migrating away from binary serialization. The project is considering to follow suit and drop this part of the NMS API altogether.

Users are recommended to upgrade to version 2.1.1, which fixes the issue. We also recommend to migrate away from relying on .NET binary serialization as a hardening method for the future.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

Zuständig

Apache

Reservieren

12.03.2025

Veröffentlichung

18.04.2025

Moderieren

akzeptiert

Eintrag

VDB-305668

CPE

bereit

EPSS

0.00068

KEV

nein

Aktivitäten

very low

Sektor

Energy, Lawfirm, ...

Quellen

MITREhttps://www.cve.org/CVERecord?id=CVE-2025-29953
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2025-29953
CVE Detailshttps://www.cvedetails.com/cve/CVE-2025-29953/

ZurückÜbersichtWeiter

Do you want to use VulDB in your project?

Use the official API to access entries easily!