GHSA-cqgj-h8vf-4w59

Source

https://github.com/advisories/GHSA-cqgj-h8vf-4w59

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-cqgj-h8vf-4w59/GHSA-cqgj-h8vf-4w59.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-cqgj-h8vf-4w59

Aliases

CVE-2025-53114

Published

2026-06-10T16:46:28Z

Modified

2026-06-10T17:00:14.021210372Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

Acknowledgement extension out of memory

Details

Impact

Bad clients that always send a fixed batch value while the server is using the acknowledgement extension can cause the unacknowledged message queue to grow indefinitely, eventually resulting in an OutOfMemoryError.

Such bad clients would always send:

{
  "channel": "/meta/connect",
  ...
  "ext": { "ack": 1 }
}

The server would never clear the unacknowledged message queue, and one bad client can cause a server outage.

Patches

5.0.x - https://github.com/cometd/cometd/pull/2168 6.0.x - https://github.com/cometd/cometd/pull/2169 8.0.x - https://github.com/cometd/cometd/pull/2118

Workarounds

Disable the acknowledgement extension.

Resources

https://github.com/cometd/cometd/discussions/2116 https://github.com/cometd/cometd/issues/2117

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-10T16:46:28Z",
    "nvd_published_at": null,
    "severity": "HIGH",
    "cwe_ids": [
        "CWE-400"
    ]
}

References

Affected packages

Maven

org.cometd.java:cometd-java-server-common

Package

Name: org.cometd.java:cometd-java-server-common; View open source insights on deps.dev
Purl: pkg:maven/org.cometd.java/cometd-java-server-common

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

5.0.23

Affected versions

5.*

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

5.0.9

5.0.10

5.0.11

5.0.12

5.0.13

5.0.14

5.0.15

5.0.16

5.0.17

5.0.18

5.0.19

5.0.20

5.0.21

5.0.22

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-cqgj-h8vf-4w59/GHSA-cqgj-h8vf-4w59.json"

last_known_affected_version_range

"<= 5.0.22"

org.cometd.java:cometd-java-server-common

Package

Name: org.cometd.java:cometd-java-server-common; View open source insights on deps.dev
Purl: pkg:maven/org.cometd.java/cometd-java-server-common

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.0.0

Fixed

6.0.19

Affected versions

6.*

6.0.0

6.0.1

6.0.2

6.0.3

6.0.4

6.0.5

6.0.6

6.0.7

6.0.8

6.0.9

6.0.10

6.0.11

6.0.12

6.0.13

6.0.14

6.0.15

6.0.16

6.0.17

6.0.18

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-cqgj-h8vf-4w59/GHSA-cqgj-h8vf-4w59.json"

last_known_affected_version_range

"<= 6.0.18"

org.cometd.java:cometd-java-server-common

Package

Name: org.cometd.java:cometd-java-server-common; View open source insights on deps.dev
Purl: pkg:maven/org.cometd.java/cometd-java-server-common

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.0.0

Fixed

7.0.19

Affected versions

7.*

7.0.0

7.0.1

7.0.2

7.0.3

7.0.4

7.0.5

7.0.6

7.0.7

7.0.8

7.0.9

7.0.10

7.0.11

7.0.12

7.0.13

7.0.14

7.0.15

7.0.16

7.0.17

7.0.18

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-cqgj-h8vf-4w59/GHSA-cqgj-h8vf-4w59.json"

last_known_affected_version_range

"<= 7.0.18"

org.cometd.java:cometd-java-server-common

Package

Name: org.cometd.java:cometd-java-server-common; View open source insights on deps.dev
Purl: pkg:maven/org.cometd.java/cometd-java-server-common

Affected ranges

Type: ECOSYSTEM
Events: Introduced

8.0.0

Fixed

8.0.9

Affected versions

8.*

8.0.0

8.0.1

8.0.2

8.0.3

8.0.4

8.0.5

8.0.6

8.0.7

8.0.8

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-cqgj-h8vf-4w59/GHSA-cqgj-h8vf-4w59.json"

last_known_affected_version_range

"<= 8.0.8"