Memory Allocation with Excessive Size Value vulnerability in Apache ActiveMQ. During unmarshalling of OpenWire commands the size value of buffers was not properly validated which could lead to excessive memory allocation and be exploited to cause a denial of service (DoS) by depleting process memory, thereby affecting applications and services that rely on the availability of the ActiveMQ broker when not using mutual TLS connections. This issue affects Apache ActiveMQ: from 6.0.0 before 6.1.6, from 5.18.0 before 5.18.7, from 5.17.0 before 5.17.7, before 5.16.8. ActiveMQ 5.19.0 is not affected. Users are recommended to upgrade to version 6.1.6+, 5.19.0+, 5.18.7+, 5.17.7, or 5.16.8 or which fixes the issue. Existing users may implement mutual TLS to mitigate the risk on affected brokers.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - Memory Allocation with Excessive Size Value vulnerability in Apache ActiveMQ. During unmarshalling of     OpenWire commands the size value of buffers was not properly validated which could lead to excessive     memory allocation and be exploited to cause a denial of service (DoS) by depleting process memory, thereby     affecting applications and services that rely on the availability of the ActiveMQ broker when not using     mutual TLS connections. This issue affects Apache ActiveMQ: from 6.0.0 before 6.1.6, from 5.18.0 before     5.18.7, from 5.17.0 before 5.17.7, before 5.16.8. ActiveMQ 5.19.0 is not affected. Users are recommended     to upgrade to version 6.1.6+, 5.19.0+, 5.18.7+, 5.17.7, or 5.16.8 or which fixes the issue. Existing users     may implement mutual TLS to mitigate the risk on affected brokers. (CVE-2025-27533)

Note that Nessus relies on the presence of the package as reported by the vendor.

The remote Debian 11 host has packages installed that are affected by a vulnerability as referenced in the dla-4222 advisory.

    -------------------------------------------------------------------------     Debian LTS Advisory DLA-4222-1                debian-lts@lists.debian.org     https://www.debian.org/lts/security/                       Emmanuel Arias     June 19, 2025                                 https://wiki.debian.org/LTS
    -------------------------------------------------------------------------

    Package        : activemq     Version        : 5.16.1-1+deb11u2     CVE ID         : CVE-2025-27533     Debian Bug     : 1104933

    It was discovered that an Out Of Memory error may occur when attempting     to initialize a huge byte array, even when maxFrameSize is set.

    For Debian 11 bullseye, this problem has been fixed in version     5.16.1-1+deb11u2.

    We recommend that you upgrade your activemq packages.

    For the detailed security status of activemq please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/activemq

    Further information about Debian LTS security advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://wiki.debian.org/LTS     Attachment:
    signature.asc     Description: PGP signature

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Apache ActiveMQ running on the remote host is 5.16.x prior to 5.16.8, 5.17.x prior to 5.17.7, 5.18.x prior to 5.18.7, or 6.x prior to 6.1.6. It is, therefore, affected by a denial of service vulneraiblity:

  - During unmarshalling of OpenWire commands the size value of buffers was not properly validated which could lead to     excessive memory allocation and be exploited to cause a denial of service (DoS) by depleting process memory,     thereby affecting applications and services that rely on the availability of the ActiveMQ broker when not using     mutual TLS connections. (CVE-2025-27533)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
250189	Linux Distros Unpatched Vulnerability : CVE-2025-27533	Nessus	Misc.	medium
240192	Debian dla-4222 : activemq - security update	Nessus	Debian Local Security Checks	medium
235662	Apache ActiveMQ 5.16.x < 5.16.8 / 5.17.x < 5.17.7 / 5.18.x < 5.18.7 / 6.x < 6.1.6 DoS (CVE-2025-27533)	Nessus	CGI abuses	medium

Detections

Analytics

CVE-2025-27533

medium

Tenable Plugins

medium

medium

medium