Deserialization Vulnerability in Apache ActiveMQ NMS OpenWire Client
CVE-2025-29953

9.8CRITICAL

Key Information:

Vendor: Apache
Status: Apache ActiveMQ Nms Openwire Client
Vendor: CVE Published:; 18 April 2025

What is CVE-2025-29953?

The vulnerability in Apache ActiveMQ NMS OpenWire Client prior to version 2.1.1 enables deserialization of untrusted data from untrusted servers. This flaw allows malicious entities to exploit unbounded deserialization, potentially leading to arbitrary code execution on the client. While version 2.1.0 introduced a mechanism to restrict deserialization through an allow/denylist, this feature is susceptible to bypass. Users are strongly urged to upgrade to version 2.1.1 to mitigate this risk and consider transitioning from .NET binary serialization for future-proofing their applications.

Affected Version(s)

Apache ActiveMQ NMS OpenWire Client 0 < 2.1.1

References

https://lists.apache.org/thread/vc1sj9y3056d3kkhcvrs9fyw5...

vendor-advisory

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 18, 2025