Memory Allocation Vulnerability in Apache ActiveMQ by Apache
CVE-2025-27533

6.9MEDIUM

Key Information:

Vendor: Apache
Status: Apache ActiveMQ
Vendor: CVE Published:; 7 May 2025

Badges

📈 Score: 693👾 Exploit Exists🟡 Public PoC

What is CVE-2025-27533?

CVE-2025-27533 is a vulnerability found within the Apache ActiveMQ messaging broker, which is widely utilized for facilitating communication between distributed applications via messaging protocols. Specifically, this vulnerability pertains to a memory allocation issue associated with excessive size values that are not properly validated during the unmarshalling of OpenWire commands. As a result, this oversight can lead to significant memory allocation, potentially allowing attackers to exhaust the memory resources of the ActiveMQ process. Such an event can cause a denial of service (DoS), making the messaging broker unavailable for applications and services that depend on it, particularly when operating without mutual TLS (Transport Layer Security) connections. Given ActiveMQ's role in enterprise communication, any downtime or unavailability can have severe operational repercussions for organizations relying on real-time message transmission and processing.

Potential impact of CVE-2025-27533

Denial of Service (DoS): The primary impact of CVE-2025-27533 is the potential for denial of service. Attackers exploiting this vulnerability can deplete system memory, leading to service disruptions, increased downtime, and an overall impact on business continuity as affected applications are rendered inoperative.
Operational Risk: Organizations that depend on Apache ActiveMQ for critical messaging processes may face significant operational risks. This vulnerability can interrupt essential data flows and communication channels, leading to delays in transactions, loss of data integrity, and impaired application performance.
Security Breach Opportunities: While the immediate threat of a DoS attack is clear, the vulnerability may also provide an avenue for further exploitation. By compromising ActiveMQ, attackers could gain insights into message payloads or disrupt the services to facilitate additional attacks, potentially leading to broader security breaches within the network infrastructure.

Affected Version(s)

Apache ActiveMQ 6.0.0 < 6.1.6

Apache ActiveMQ 5.18.0 < 5.18.7

Apache ActiveMQ 5.17.0 < 5.17.7

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-27533-Exploit-for-Apache-ActiveMQ
Created by absholi7ly

References

https://lists.apache.org/thread/8hcm25vf7mchg4zbbhnlx2lc5...

vendor-advisory

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
May 9, 2025
👾
Exploit known to exist
May 9, 2025
Vulnerability published
May 7, 2025
Vulnerability Reserved
Feb 28, 2025