CVE-2025-27533: Apache ActiveMQ Memory Allocation Bug Could Lead to Denial of Service

Apache ActiveMQ, the widely used open-source message broker known for its robust support of multiple protocols and cross-platform integrations, has been found vulnerable to a critical memory allocation flaw that could be exploited to trigger a Denial of Service (DoS).

The vulnerability, identified as CVE-2025-27533, stems from unchecked buffer size validation during unmarshalling of OpenWire commands. This oversight allows an attacker to send specially crafted messages that result in excessive memory allocation, potentially depleting system resources and crashing the broker service.

The vulnerability affects a broad range of Apache ActiveMQ versions:

• 6.0.0 before 6.1.6
• 5.18.0 before 5.18.7
• 5.17.0 before 5.17.7
• 5.16.0 before 5.16.8
• Fortunately, version 5.19.0 and later are not affected.

To defend against this vulnerability, Apache strongly advises:

• Upgrading to a patched version:
  • 6.1.6+
  • 5.19.0+
  • 5.18.7
  • 5.17.7
  • 5.16.8
• Enabling mutual TLS (mTLS) on ActiveMQ brokers as an additional mitigation layer for environments unable to upgrade immediately.

Related Posts:

• Cybereason Uncovers Widespread Exploitation of Apache ActiveMQ Vulnerability
• Apache ActiveMQ Remote Code Execution Vulnerability
• Apache ActiveMQ Servers Exploited by HelloKitty Ransomware
• Android 16 Beta Boosts Linux Terminal Storage with Dynamic Allocation