Deserialization Vulnerability in Apache ActiveMQ NMS OpenWire Client
CVE-2025-29953

9.8CRITICAL

Key Information:

Vendor

Apache
Status
Apache ActiveMQ Nms Openwire Client
Vendor
CVE Published:
18 April 2025

Badges

👾 Exploit Exists📰 News Worthy

What is CVE-2025-29953?

The vulnerability in Apache ActiveMQ NMS OpenWire Client prior to version 2.1.1 enables deserialization of untrusted data from untrusted servers. This flaw allows malicious entities to exploit unbounded deserialization, potentially leading to arbitrary code execution on the client. While version 2.1.0 introduced a mechanism to restrict deserialization through an allow/denylist, this feature is susceptible to bypass. Users are strongly urged to upgrade to version 2.1.1 to mitigate this risk and consider transitioning from .NET binary serialization for future-proofing their applications.

Affected Version(s)

Apache ActiveMQ NMS OpenWire Client 0 < 2.1.1

News Articles

favicon imageCybersecurityNews

Apache ActiveMQ Vulnerability Allows Remote Attackers to Execute Arbitrary Code

A critical security vulnerability (CVE-2025-29953) in Apache ActiveMQ’s NMS OpenWire Client has been disclosed, enabling remote attackers.

References

https://lists.apache.org/thread/vc1sj9y3056d3kkhcvrs9fyw5...
vendor-advisory

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 👾

    Exploit known to exist

  • 📰

    First article discovered by CybersecurityNews

  • Vulnerability published

.
CVE-2025-29953 : Deserialization Vulnerability in Apache ActiveMQ NMS OpenWire Client