CVE-2025-29953
Apache ActiveMQ NMS OpenWire Client: deserialization allowlist bypass
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Deserialization of Untrusted Data vulnerability in Apache ActiveMQ NMS OpenWire Client. This issue affects Apache ActiveMQ NMS OpenWire Client before 2.1.1 when performing connections to untrusted servers. Such servers could abuse the unbounded deserialization in the client to provide malicious responses that may eventually cause arbitrary code execution on the client. Version 2.1.0 introduced a allow/denylist feature to restrict deserialization, but this feature could be bypassed. The .NET team has deprecated the built-in .NET binary serialization feature starting with .NET 9 and suggests migrating away from binary serialization. The project is considering to follow suit and drop this part of the NMS API altogether. Users are recommended to upgrade to version 2.1.1, which fixes the issue. We also recommend to migrate away from relying on .NET binary serialization as a hardening method for the future.
Vulnerabilidad de deserialización de datos no confiables en Apache ActiveMQ NMS OpenWire Client. Este problema afecta a Apache ActiveMQ NMS OpenWire Client anterior a la versión 2.1.1 al conectar con servidores no confiables. Dichos servidores podrían abusar de la deserialización ilimitada del cliente para proporcionar respuestas maliciosas que podrían provocar la ejecución de código arbitrario. La versión 2.1.0 introdujo una función de lista de permitidos/denegados para restringir la deserialización, pero esta función podía omitirse. El equipo de .NET ha descontinuado la función integrada de serialización binaria de .NET a partir de .NET 9 y sugiere migrar hacia una versión posterior. El proyecto está considerando seguir el ejemplo y eliminar esta parte de la API de NMS por completo. Se recomienda a los usuarios actualizar a la versión 2.1.1, que soluciona el problema. También recomendamos migrar hacia una versión posterior que no dependa de la serialización binaria de .NET como método de protección.
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Apache ActiveMQ NMS. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation.
The specific flaw exists within the Body accessor method. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process.
CVSS Scores
SSVC
- Decision:Attend
Timeline
- 2025-03-12 CVE Reserved
- 2025-04-18 CVE Published
- 2025-04-30 CVE Updated
- 2025-05-20 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-502: Deserialization of Untrusted Data
CAPEC
References (2)
| URL | Tag | Source |
|---|---|---|
| http://www.openwall.com/lists/oss-security/2025/04/18/3 |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://lists.apache.org/thread/vc1sj9y3056d3kkhcvrs9fyw5w8kpmlx | 2025-04-23 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Apache Software Foundation Search vendor "Apache Software Foundation" | Apache ActiveMQ NMS OpenWire Client Search vendor "Apache Software Foundation" for product "Apache ActiveMQ NMS OpenWire Client" | < 2.1.1 Search vendor "Apache Software Foundation" for product "Apache ActiveMQ NMS OpenWire Client" and version " < 2.1.1" | en |
Affected
| ||||||