Cyber Resilience

CVE-2025-27533

Medium

Published: 07 May 2025

Published
07 May 2025
Modified
03 November 2025
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:A/V:D/RE:M/U:Red
EPSS Score 0.0225 85.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-27533 is a medium-severity Memory Allocation with Excessive Size Value (CWE-789) vulnerability in Apache Activemq. Its CVSS base score is 6.9 (Medium).

Operationally, ranked in the top 15.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2025-27533 is a memory allocation vulnerability (CWE-789) in Apache ActiveMQ that occurs during unmarshalling of OpenWire commands. The broker fails to validate buffer size values, allowing excessive memory to be allocated. The flaw affects versions 6.0.0 before 6.1.6, 5.18.0 before 5.18.7, 5.17.0 before 5.17.7, and all releases before 5.16.8; version 5.19.0 is unaffected.

An attacker able to send crafted OpenWire commands to an ActiveMQ broker that is not protected by mutual TLS can trigger the excessive allocation, exhausting process memory and causing a denial of service that disrupts any applications or services depending on the broker.

Apache advisories and downstream distributions recommend upgrading to 6.1.6 or later, 5.19.0 or later, 5.18.7 or later, 5.17.7 or later, or 5.16.8. Existing deployments can also mitigate exposure by enforcing mutual TLS authentication on broker connections.

The EPSS score remains flat at 0.0225 with no material increase after disclosure.

EU & UK References

Vulnerability details

Memory Allocation with Excessive Size Value vulnerability in Apache ActiveMQ. During unmarshalling of OpenWire commands the size value of buffers was not properly validated which could lead to excessive memory allocation and be exploited to cause a denial of service…

more

(DoS) by depleting process memory, thereby affecting applications and services that rely on the availability of the ActiveMQ broker when not using mutual TLS connections. This issue affects Apache ActiveMQ: from 6.0.0 before 6.1.6, from 5.18.0 before 5.18.7, from 5.17.0 before 5.17.7, before 5.16.8. ActiveMQ 5.19.0 is not affected. Users are recommended to upgrade to version 6.1.6+, 5.19.0+, 5.18.7+, 5.17.7, or 5.16.8 or which fixes the issue. Existing users may implement mutual TLS to mitigate the risk on affected brokers.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apache
activemq
5.16.0 — 5.16.8 · 5.17.0 — 5.17.7 · 5.18.0 — 5.18.7

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References