Deserialization Vulnerability in Apache ActiveMQ NMS OpenWire Client
CVE-2025-29953
9.8CRITICAL
Key Information:
- Vendor
- Apache
- Vendor
- CVE Published:
- 18 April 2025
Summary
The vulnerability in Apache ActiveMQ NMS OpenWire Client prior to version 2.1.1 enables deserialization of untrusted data from untrusted servers. This flaw allows malicious entities to exploit unbounded deserialization, potentially leading to arbitrary code execution on the client. While version 2.1.0 introduced a mechanism to restrict deserialization through an allow/denylist, this feature is susceptible to bypass. Users are strongly urged to upgrade to version 2.1.1 to mitigate this risk and consider transitioning from .NET binary serialization for future-proofing their applications.
Affected Version(s)
Apache ActiveMQ NMS OpenWire Client 0 < 2.1.1
References
CVSS V3.1
Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published