Home

CVE-2025-66168

Description

Apache ActiveMQ does not properly validate the remaining length field which may lead to an overflow during the decoding of malformed packets.When this integer overflow occurs, ActiveMQ may incorrectly compute the total Remaining Length and subsequently misinterpret the payload as multiple MQTT control packets which makesthe broker susceptible to unexpected behavior when interacting with non-compliant clients.This behavior violates the MQTT v3.1.1 specification, which restricts Remaining Length to a maximum of 4 bytes.The scenario occurs on established connections after the authentication process. Brokers that are not enabling mqtt transport connectors are not impacted.This issue affects Apache ActiveMQ: before 5.19.2, 6.0.0 to 6.1.8, and 6.2.0Users are recommended to upgrade to version 5.19.2, 6.1.9, or 6.2.1, which fixes the issue.

Risk Information

Base Score
8.8
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score
Exploitation Probability
0.116

Associated Vulnerability

VulnerabilityOS Platform
Vulnerabilities CVE-2025-66168 are fixed in Apache-apache-activemq 5.19.2Windows
Vulnerabilities CVE-2025-66168 are fixed in Apache-apache-activemq 6.1.9Windows
Vulnerabilities CVE-2025-66168 are fixed in Apache-apache-activemq 6.2.1Windows
Vulnerabilities CVE-2025-66168 are fixed in Apache - activemq-all 5.19.2Windows
Vulnerabilities CVE-2025-66168 are fixed in Apache - activemq-all 6.1.9Windows
Vulnerabilities CVE-2025-66168 are fixed in Apache - activemq-all 6.2.1Windows
Vulnerabilities CVE-2025-66168 are fixed in Apache - activemq-mqtt 5.19.2Windows
Vulnerabilities CVE-2025-66168 are fixed in Apache - activemq-mqtt 6.1.9Windows
Vulnerabilities CVE-2025-66168 are fixed in Apache - activemq-mqtt 6.2.1Windows
Vulnerabilities CVE-2025-66168 are fixed in Apache-apache-activemq for Linux 5.19.2Linux
Vulnerabilities CVE-2025-66168 are fixed in Apache-apache-activemq for Linux 6.1.9Linux
Vulnerabilities CVE-2025-66168 are fixed in Apache-apache-activemq for Linux 6.2.1Linux
Vulnerabilities CVE-2025-66168 are fixed in Apache - activemq-all for Linux 5.19.2Linux
Vulnerabilities CVE-2025-66168 are fixed in Apache - activemq-all for Linux 6.1.9Linux
Vulnerabilities CVE-2025-66168 are fixed in Apache - activemq-all for Linux 6.2.1Linux
Vulnerabilities CVE-2025-66168 are fixed in Apache - activemq-mqtt for Linux 5.19.2Linux
Vulnerabilities CVE-2025-66168 are fixed in Apache - activemq-mqtt for Linux 6.1.9Linux
Vulnerabilities CVE-2025-66168 are fixed in Apache - activemq-mqtt for Linux 6.2.1Linux

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234