GHSA-2q9g-8573-3265
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Network-accessible unauthenticated STOMP connection with no complexity barrier; sole impact is complete availability loss via heap exhaustion; no confidentiality or integrity effect.
Primary rating from Vendor (CNA).
CVSS VectorVendor
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4Description PRE-NVD
Articles & Coverage 4
AnalysisAI
Unbounded heap consumption in Apache ActiveMQ's STOMP NIO codec allows an unauthenticated remote client to crash the broker by streaming non-terminating header bytes that the JVM buffers without limit until memory is exhausted. All three affected Maven artifacts (apache-activemq, activemq-all, activemq-stomp) are impacted in versions before 5.19.8 and in the 6.0.0-6.2.6 range. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The STOMP NIO transport connector must be enabled and network-reachable - this is a configurable transport in activemq.xml and is not always active in every deployment; operators who have not explicitly added a STOMP transportConnector are not affected. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Independent CVSS 3.1 assessment yields AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (score ~7.5, High): the attack is network-accessible, requires no authentication, and has low complexity - an attacker needs only a TCP connection to the STOMP port and the ability to stream data without sending a frame terminator. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker connects to the broker's STOMP NIO listener (typically TCP 61613) and streams a continuous sequence of header bytes without ever sending a STOMP frame terminator (linefeed or null byte). The broker's NIO codec appends each incoming byte to an unbounded in-memory buffer; as the buffer grows, JVM heap is steadily consumed until an OutOfMemoryError terminates the broker process or triggers garbage collection storms that render it unresponsive. … |
| Remediation | Upgrade to Apache ActiveMQ 6.2.7 for 6.x deployments or 5.19.8 for 5.x deployments; both releases were published June 29, 2026 and are available at https://activemq.apache.org/. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all ActiveMQ deployments and inventory versions; query for listeners on STOMP port 61613 or custom STOMP ports; classify each instance by business criticality. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Memory Allocation with Excessive Size Value vulnerability in Apache ActiveMQ. Rated medium severity (CVSS 6.9), this vul
Remote code execution in Apache ActiveMQ Broker, ActiveMQ All, and ActiveMQ (versions before 5.19.7 and 6.0.0 before 6.2
Denial of service in Apache ActiveMQ (versions before 5.19.8, and 6.0.0 before 6.2.7) lets an authenticated user crash t
Unauthorized message consumption in Apache ActiveMQ Classic lets a connected client read from temporary destinations bel
Stored cross-site scripting in Apache ActiveMQ Web Console allows an authenticated message producer to inject malicious
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40278