SCA: security update for Apache.NMS.ActiveMQ (GHSA-9g64-r942-fvmp)

critical Tenable Self-Hosted Container Security Plugin ID 433995

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Deserialization of Untrusted Data vulnerability in Apache ActiveMQ NMS OpenWire Client. This issue affects
Apache ActiveMQ NMS OpenWire Client before 2.1.1 when performing connections to untrusted servers. Such
servers could abuse the unbounded deserialization in the client to provide malicious responses that may
eventually cause arbitrary code execution on the client. Version 2.1.0 introduced a allow/denylist feature
to restrict deserialization, but this feature could be bypassed. The .NET team has deprecated the built-in
.NET binary serialization feature starting with .NET 9 and suggests migrating away from binary
serialization. The project is considering to follow suit and drop this part of the NMS API altogether.
Users are recommended to upgrade to version 2.1.1, which fixes the issue. We also recommend to migrate
away from relying on .NET binary serialization as a hardening method for the future. (CVE-2025-29953)

See Also

https://github.com/advisories/GHSA-9g64-r942-fvmp

Plugin Details

Severity: Critical

ID: 433995

Version: Revision 1.4

Type: Local

Family: SCA Checks

Published: 8/19/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.5

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2025-29953

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 4/18/2025

Vulnerability Publication Date: 4/18/2025

Reference Information

CVE: CVE-2025-29953

cwe: CWE-502