Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Unauthenticated remote client triggers memory exhaustion pre-auth, so AV:N/AC:L/PR:N/UI:N; impact is availability-only, hence C:N/I:N/A:H with scope unchanged.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionCVE.org
RabbitMQ is a messaging and streaming broker. Prior to 4.2.6, the RabbitMQ stream listener does not enforce the configured stream frame-size limit while assembling frames during authentication and before Tune negotiation, allowing an unauthenticated remote client to declare oversized frame lengths and consume broker memory in rabbit_stream_core. This issue is fixed in version 4.2.6.
AnalysisAI
Memory-exhaustion denial of service in RabbitMQ server prior to 4.2.6 allows an unauthenticated remote client to crash or degrade the broker via its stream protocol listener. Because the stream listener fails to enforce the configured frame-size limit while assembling frames during authentication and before Tune negotiation, an attacker can declare oversized frame lengths and force unbounded memory allocation in rabbit_stream_core. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target run the RabbitMQ stream protocol (the rabbitmq_stream plugin/stream listener, default TCP 5552 / TLS 5551) and that this listener be network-reachable by the attacker; the malicious frames must be sent during authentication and before Tune negotiation, which is exactly the window where the frame-size limit is not enforced. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) is internally consistent with the description: network-reachable, low-complexity, no privileges, no user interaction, and a pure availability impact with no confidentiality or integrity loss. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can reach the RabbitMQ stream listener port opens a connection and, during the pre-authentication handshake before Tune negotiation, sends frames declaring very large frame lengths. The broker attempts to buffer these oversized frames in rabbit_stream_core without enforcing the frame-size cap, and repeated or parallel connections drive memory consumption until the node degrades or is killed by the OS or memory alarm. … |
| Remediation | Vendor-released patch: 4.2.6 - upgrade RabbitMQ server to 4.2.6 or later, which enforces the stream frame-size limit during frame assembly in the pre-Tune authentication phase (fixes in pull requests https://github.com/rabbitmq/rabbitmq-server/pull/16171 and https://github.com/rabbitmq/rabbitmq-server/pull/16173 and commits 595ec28fa1621b1f2c28124e4e0466a8ad963547 and 773a49c4921e8be990262a2d609c35916825679e; advisory at https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-f364-87q5-j35q). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: inventory all RabbitMQ deployments, identify instances running versions prior to 4.2.6, and confirm which have exposed stream protocol listeners on network perimeter. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Rabbitmq Server
View allPivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x ver
An issue was discovered in Pivotal RabbitMQ 3.x before 3.5.8 and 3.6.x before 3.6.6 and RabbitMQ for PCF 1.5.x before 1.
RabbitMQ is a messaging and streaming broker. In versions 3.13.7 and prior, RabbitMQ is logging authorization headers in
Sensitive credential disclosure in RabbitMQ affects installations running the management plugin with OAuth 2 configured
An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x versions, all 3.5.x versions, and 3.6.x versions p
RabbitMQ installers on Windows prior to version 3.8.16 do not harden plugin directory permissions, potentially allowing
Stored cross-site scripting in the RabbitMQ management UI (versions prior to 4.2.5) lets a user holding queue/exchange d
Uncontrolled resource consumption in the RabbitMQ Management plugin's HTTP API lets an authenticated client crash or deg
Authorization bypass in RabbitMQ topic permissions lets an authenticated user with restricted topic rights publish to or
Improper authorization in RabbitMQ broker (versions prior to 3.13.15, 4.0.20, 4.1.11, and 4.2.6) allows an authenticated
Authentication bypass in RabbitMQ (broker versions prior to 3.13.15, 4.0.20, 4.1.11, and 4.2.6) lets a loopback-restrict
Server-side request forgery and NTLM credential exposure in the RabbitMQ management plugin (versions 4.1.0 to before 4.1
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43018