CVE-2025-29953

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-29953

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-29953.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-29953

Aliases

GHSA-9g64-r942-fvmp

Published

2025-04-18T16:15:22.317Z

Modified

2026-03-14T12:42:59.071644Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Deserialization of Untrusted Data vulnerability in Apache ActiveMQ NMS OpenWire Client.

This issue affects Apache ActiveMQ NMS OpenWire Client before 2.1.1 when performing connections to untrusted servers. Such servers could abuse the unbounded deserialization in the client to provide malicious responses that may eventually cause arbitrary code execution on the client. Version 2.1.0 introduced a allow/denylist feature to restrict deserialization, but this feature could be bypassed.

The .NET team has deprecated the built-in .NET binary serialization feature starting with .NET 9 and suggests migrating away from binary serialization. The project is considering to follow suit and drop this part of the NMS API altogether.

Users are recommended to upgrade to version 2.1.1, which fixes the issue. We also recommend to migrate away from relying on .NET binary serialization as a hardening method for the future.

References

Affected packages

Git / github.com/apache/activemq-nms-openwire

Affected ranges

Type

GIT

Repo

https://github.com/apache/activemq-nms-openwire

Events

Introduced

Fixed

ea15293eba103d42fb55f4f59cf7b8d7c7362c1a

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.1.1"
        }
    ]
}

Affected versions

1.*

1.8.0

1.8.0-rc2

2.*

2.0.0

2.0.0-rc1

2.0.0-rc2

2.0.1

2.0.1-rc1

2.1.0

2.1.0-rc1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-29953.json"