CVE-2025-27533
Published: 07 May 2025
Summary
CVE-2025-27533 is a medium-severity Memory Allocation with Excessive Size Value (CWE-789) vulnerability in Apache Activemq. Its CVSS base score is 6.9 (Medium).
Operationally, ranked in the top 15.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2025-27533 is a memory allocation vulnerability (CWE-789) in Apache ActiveMQ that occurs during unmarshalling of OpenWire commands. The broker fails to validate buffer size values, allowing excessive memory to be allocated. The flaw affects versions 6.0.0 before 6.1.6, 5.18.0 before 5.18.7, 5.17.0 before 5.17.7, and all releases before 5.16.8; version 5.19.0 is unaffected.
An attacker able to send crafted OpenWire commands to an ActiveMQ broker that is not protected by mutual TLS can trigger the excessive allocation, exhausting process memory and causing a denial of service that disrupts any applications or services depending on the broker.
Apache advisories and downstream distributions recommend upgrading to 6.1.6 or later, 5.19.0 or later, 5.18.7 or later, 5.17.7 or later, or 5.16.8. Existing deployments can also mitigate exposure by enforcing mutual TLS authentication on broker connections.
The EPSS score remains flat at 0.0225 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-13714
Vulnerability details
Memory Allocation with Excessive Size Value vulnerability in Apache ActiveMQ. During unmarshalling of OpenWire commands the size value of buffers was not properly validated which could lead to excessive memory allocation and be exploited to cause a denial of service…
more
(DoS) by depleting process memory, thereby affecting applications and services that rely on the availability of the ActiveMQ broker when not using mutual TLS connections. This issue affects Apache ActiveMQ: from 6.0.0 before 6.1.6, from 5.18.0 before 5.18.7, from 5.17.0 before 5.17.7, before 5.16.8. ActiveMQ 5.19.0 is not affected. Users are recommended to upgrade to version 6.1.6+, 5.19.0+, 5.18.7+, 5.17.7, or 5.16.8 or which fixes the issue. Existing users may implement mutual TLS to mitigate the risk on affected brokers.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.