Routing-type Manipulation Vulnerability in Apache ActiveMQ Artemis
CVE-2025-27427
2.3LOW
Summary
A vulnerability in Apache ActiveMQ Artemis allows users with certain permissions to alter the routing-type of a message, bypassing established address permissions. Specifically, users granted permissions to create durable and non-durable queues can modify the routing-type of messages sent, even if they lack the relevant permission to change the address itself. This misconfiguration could lead to unauthorized message routing, enabling the potential for unexpected behavior in message delivery and security breaches. Upgrading to version 2.40.0 is advised to mitigate this security issue.
Affected Version(s)
Apache ActiveMQ Artemis 2.0.0 <= 2.39.0
References
CVSS V4
Score:
2.3
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Eojin Lee <[email protected]>
Dain Lee <[email protected]>
WooJin Park <[email protected]>
MinJung Lee <[email protected]>
SeChang Oh <[email protected]>