OutOfMemoryError in CometD Due to Misconfigured Acknowledgement Extension
CVE-2025-53114

7.5HIGH

Key Information:

Vendor

Cometd

Status
Cometd
Vendor
CVE Published:
18 June 2026

What is CVE-2025-53114?

A vulnerability in CometD affects versions between 5.0.0 and 8.0.8, where improperly configured clients sending a consistent batch value with the acknowledgement extension enabled can lead to an unbounded growth of the unacknowledged message queue. This growth can ultimately result in an OutOfMemoryError, disrupting the messaging service. Users are advised to either upgrade to patched versions (5.0.23, 6.0.19, 7.0.19, and 8.0.9) or disable the acknowledgement feature as a temporary workaround.

Affected Version(s)

cometd >= 5.0.0, < 5.0.23 < 5.0.0, 5.0.23

cometd >= 6.0.0, < 6.0.19 < 6.0.0, 6.0.19

cometd >= 7.0.0, < 7.0.19 < 7.0.0, 7.0.19

References

https://github.com/cometd/cometd/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/cometd/cometd/issues/2117
x_refsource_MISC
https://github.com/cometd/cometd/pull/2118
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.