GHSA-f77w-px59-cqf5
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Network-reachable OpenWire with low complexity, but the description requires an authenticated user so PR:L; impact is availability-only (A:H) with no confidentiality or integrity effect.
Primary rating from Vendor (CNA).
CVSS VectorVendor
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
6Description PRE-NVD
Articles & Coverage 3
AnalysisAI
Denial of service in Apache ActiveMQ (versions before 5.19.8, and 6.0.0 before 6.2.7) lets an authenticated user crash the broker by sending a crafted OpenWire message whose property map declares an excessively large encoded size. Because the map is unmarshaled without validating the declared size against actual payload bounds, the broker pre-allocates massive memory and hits an OutOfMemory condition. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the broker to expose the OpenWire transport (the default ActiveMQ connector, typically TCP 61616) and the ability to send a single OpenWire message containing a property map with a forged large encoded size value that is unmarshaled without bounds checking. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) reflects a pure availability impact reachable over the network with low complexity, no UI, and - per the vector - no privileges. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a valid OpenWire connection to the broker (or, if the PR:N vector holds, any network client) crafts a single message whose property-map header declares a huge encoded size. When the broker unmarshals the map it pre-allocates memory to match the bogus size, exhausts the JVM heap, and the broker process throws OutOfMemoryError and crashes - taking down messaging for all connected applications. … |
| Remediation | Vendor-released patch: upgrade to 6.2.7 (for the 6.x line) or 5.19.8 (for the 5.x line), which add size validation during OpenWire map unmarshaling; this is the primary and recommended fix per the Apache advisory (https://activemq.apache.org/ and https://lists.apache.org/thread/grrd1mwgkgblqjbwkkq6dvmdxd9ov2dx). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Apache ActiveMQ deployments and document current versions running in your environment. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Memory Allocation with Excessive Size Value vulnerability in Apache ActiveMQ. Rated medium severity (CVSS 6.9), this vul
Remote code execution in Apache ActiveMQ Broker, ActiveMQ All, and ActiveMQ (versions before 5.19.7 and 6.0.0 before 6.2
Unbounded heap consumption in Apache ActiveMQ's STOMP NIO codec allows an unauthenticated remote client to crash the bro
Unauthorized message consumption in Apache ActiveMQ Classic lets a connected client read from temporary destinations bel
Stored cross-site scripting in Apache ActiveMQ Web Console allows an authenticated message producer to inject malicious
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40277