Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Remote unauthenticated peer triggers DoS over the network with a simple malformed header (AV:N/AC:L/PR:N/UI:N); impact is availability-only via OOM/connection teardown, so C:N/I:N/A:H.
Primary rating from Vendor (apache).
CVSS VectorVendor: apache
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionCVE.org
Improper Input Validation vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ Stomp.
A remote unauthenticated peer that can reach an exposed STOMP connector can trigger denial-of-service behavior by sending a negative content-length. For the NIO STOMP transport, an attacker can keep streaming body bytes and grow the per-connection command buffer beyond configured limits to cause OOM. For the blocking STOMP protocol, an error will instead force abnormal transport exception handling for the affected connection and closure. This issue affects Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ All: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ Stomp: before 5.19.8, from 6.0.0 before 6.2.7.
Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the issue.
Articles & Coverage 1
AnalysisAI
Denial-of-service in Apache ActiveMQ STOMP connectors lets a remote peer that can reach an exposed STOMP port crash or exhaust the broker by sending a negative content-length value. On the NIO STOMP transport the attacker streams body bytes to grow the per-connection command buffer past configured limits and force an out-of-memory condition, while the blocking STOMP transport instead throws an abnormal transport exception that closes the affected connection. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that an Apache ActiveMQ STOMP connector be enabled and network-reachable by the attacker; the OOM-style impact specifically requires the NIO STOMP transport, whereas the blocking STOMP transport yields only a single-connection abnormal close rather than broker-wide exhaustion. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No CVSS score or vector was supplied by the source, so severity must be inferred. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker locates an internet-exposed ActiveMQ STOMP connector and opens a TCP session to it without authenticating. They send a STOMP frame whose content-length header is set to a negative value and, on a NIO transport, continue streaming body bytes; the broker's per-connection command buffer grows past its configured limit and the JVM exhausts heap memory, taking the broker offline. … |
| Remediation | Vendor-released patch: upgrade to Apache ActiveMQ 6.2.7 (for the 6.x line) or 5.19.8 (for the 5.x line), which fix the improper validation of the STOMP content-length header; the same fixed versions apply to the ActiveMQ All and ActiveMQ Stomp distributions, per the Apache advisory at https://lists.apache.org/thread/fsjb26605syqr8xks249h8gkp86t55d2. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all ActiveMQ instances running affected versions (pre-5.19.8 or 6.0.0-6.2.6); implement firewall rules to restrict STOMP port access (default TCP 5672) to internal authorized systems. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Apache Activemq
View allRemote code execution in Apache ActiveMQ Classic versions before 5.19.5 and 6.0.0-6.2.2 allows authenticated attackers t
Remote code execution in Apache ActiveMQ 5.x (before 5.19.6) and 6.x (before 6.2.5) allows authenticated attackers to by
Remote code execution in Apache ActiveMQ allows authenticated attackers with admin console access to inject malicious Sp
Privilege escalation via improper authorization in Apache ActiveMQ before 5.19.8 and 6.0.0 before 6.2.7 lets an authenti
Denial of service in Apache ActiveMQ (Client, broker, and All distributions) before 5.19.8 and 6.x before 6.2.7 lets a r
Remote denial of service in Apache ActiveMQ (versions 5.19.7 and 6.2.6) allows an unauthenticated attacker to exhaust br
Improper input validation in Apache ActiveMQ lets an attacker who can write or modify LDAP entries matching the broker's
Out-of-memory denial of service in Apache ActiveMQ allows unauthenticated remote attackers to exhaust broker memory via
Same weakness CWE-20 – Improper Input Validation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40284
GHSA-xjwq-9jw5-jf7w