Apache ActiveMQ 5.16.x < 5.16.8 / 5.17.x < 5.17.7 / 5.18.x < 5.18.7 / 6.x < 6.1.6 DoS (CVE-2025-27533)

medium Nessus Plugin ID 235662

Synopsis

The remote host is running a web application that is affected by a denial of service vulnerability.

Description

The version of Apache ActiveMQ running on the remote host is 5.16.x prior to 5.16.8, 5.17.x prior to 5.17.7, 5.18.x prior to 5.18.7, or 6.x prior to 6.1.6. It is, therefore, affected by a denial of service vulneraiblity:

- During unmarshalling of OpenWire commands the size value of buffers was not properly validated which could lead to excessive memory allocation and be exploited to cause a denial of service (DoS) by depleting process memory, thereby affecting applications and services that rely on the availability of the ActiveMQ broker when not using mutual TLS connections. (CVE-2025-27533)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Apache ActiveMQ version 5.16.8, 5.17.7, 5.18.7, or 6.1.6 or later.

See Also

http://www.nessus.org/u?0f714d45

Plugin Details

Severity: Medium

ID: 235662

File Name: activemq_6_1_6.nasl

Version: 1.1

Type: combined

Agent: unix

Family: CGI abuses

Published: 5/9/2025

Updated: 5/9/2025

Configuration: Enable thorough checks (optional)

Supported Sensors: Nessus Agent, Nessus

Enable CGI Scanning: true

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:C

CVSS Score Source: CVE-2025-27533

CVSS v3

Risk Factor: Medium

Base Score: 4.9

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

Vulnerability Information

CPE: cpe:/a:apache:activemq

Required KB Items: installed_sw/Apache ActiveMQ

Patch Publication Date: 5/6/2025

Vulnerability Publication Date: 5/6/2025

Reference Information

CVE: CVE-2025-27533

IAVB: 2025-B-0071