// For flags

CVE-2025-29953

Apache ActiveMQ NMS OpenWire Client: deserialization allowlist bypass

Severity Score

9.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Attend
*SSVC
Descriptions

Deserialization of Untrusted Data vulnerability in Apache ActiveMQ NMS OpenWire Client. This issue affects Apache ActiveMQ NMS OpenWire Client before 2.1.1 when performing connections to untrusted servers. Such servers could abuse the unbounded deserialization in the client to provide malicious responses that may eventually cause arbitrary code execution on the client. Version 2.1.0 introduced a allow/denylist feature to restrict deserialization, but this feature could be bypassed. The .NET team has deprecated the built-in .NET binary serialization feature starting with .NET 9 and suggests migrating away from binary serialization. The project is considering to follow suit and drop this part of the NMS API altogether. Users are recommended to upgrade to version 2.1.1, which fixes the issue. We also recommend to migrate away from relying on .NET binary serialization as a hardening method for the future.

Vulnerabilidad de deserialización de datos no confiables en Apache ActiveMQ NMS OpenWire Client. Este problema afecta a Apache ActiveMQ NMS OpenWire Client anterior a la versión 2.1.1 al conectar con servidores no confiables. Dichos servidores podrían abusar de la deserialización ilimitada del cliente para proporcionar respuestas maliciosas que podrían provocar la ejecución de código arbitrario. La versión 2.1.0 introdujo una función de lista de permitidos/denegados para restringir la deserialización, pero esta función podía omitirse. El equipo de .NET ha descontinuado la función integrada de serialización binaria de .NET a partir de .NET 9 y sugiere migrar hacia una versión posterior. El proyecto está considerando seguir el ejemplo y eliminar esta parte de la API de NMS por completo. Se recomienda a los usuarios actualizar a la versión 2.1.1, que soluciona el problema. También recomendamos migrar hacia una versión posterior que no dependa de la serialización binaria de .NET como método de protección.

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Apache ActiveMQ NMS. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation.
The specific flaw exists within the Body accessor method. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process.

*Credits: g7shot working with Trend Zero Day Initiative
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:Attend
Exploitation
None
Automatable
Yes
Tech. Impact
Total
* Organization's Worst-case Scenario
Timeline
  • 2025-03-12 CVE Reserved
  • 2025-04-18 CVE Published
  • 2025-04-30 CVE Updated
  • 2025-05-20 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-502: Deserialization of Untrusted Data
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Apache Software Foundation
Search vendor "Apache Software Foundation"
Apache ActiveMQ NMS OpenWire Client
Search vendor "Apache Software Foundation" for product "Apache ActiveMQ NMS OpenWire Client"
< 2.1.1
Search vendor "Apache Software Foundation" for product "Apache ActiveMQ NMS OpenWire Client" and version " < 2.1.1"
en
Affected