Integer Overflow Flaw in Apache ActiveMQ Exposes MQTT Brokers to DoS

The Apache Software Foundation has released a security update for Apache ActiveMQ, addressing a significant integer overflow vulnerability in its MQTT transport connector. The flaw, tracked as CVE-2025-66168, could allow authenticated attackers to trigger unpredictable broker behavior or perform a Denial of Service (DoS) attack by sending malformed packets.

ActiveMQ is a cornerstone of enterprise messaging, and its MQTT module is a vital bridge for IoT devices and real-time data streaming.

In the MQTT protocol, every unit of data transfer is a “control packet”. Each packet includes a Remaining Length field in its fixed header, which specifies the size of the following data. According to the MQTT v3.1.1 specification, this field is restricted to a maximum of 4 bytes.

The vulnerability (CWE-190) exists because ActiveMQ’s MQTT module does not properly validate this field during decoding.

An authenticated attacker can send a malformed MQTT packet with a manipulated or excessively large length value. This lack of validation leads to an integer overflow during the length calculation.

Once the overflow occurs, ActiveMQ “incorrectly computes the total Remaining Length”. This causes the broker to misinterpret the remaining payload as multiple separate control packets, leading to protocol desynchronization or a system crash.

While the vulnerability requires an established and authenticated connection to exploit, the impact on broker stability is high.

An attacker must first bypass initial authentication to reach the vulnerable decoding logic. The flaw only affects brokers that have MQTT transport connectors enabled. Systems using only OpenWire, AMQP, or STOMP are not vulnerable to this specific attack.

Beyond a simple crash (DoS), the resulting “unexpected behavior” could include logic errors in message handling or corrupted internal states, which are critical in sensitive IoT environments.

The Apache Software Foundation has released patches across three major release branches. Organizations using ActiveMQ with MQTT should prioritize the following updates: