CVE-2025-30219

Name of the Vulnerable Software and Affected Versions RabbitMQ versions prior to 4.0.3 Tanzu RabbitMQ versions prior to 4.0.3 and 3.13.8

Description RabbitMQ is a messaging and streaming broker. A sophisticated attack could modify the virtual host name on disk, making it unrecoverable and leading to arbitrary JavaScript code execution in the browsers of management UI users. When a virtual host on a RabbitMQ node fails to start, an error message is displayed in the management UI, including the virtual host name, which was not escaped prior to version 4.0.3. An attack that makes a virtual host fail to start and creates a new virtual host name with an XSS code snippet or changes the name of an existing virtual host on disk could trigger arbitrary JavaScript code execution in the management UI.

Recommendations For RabbitMQ versions prior to 4.0.3, update to version 4.0.3 or later to resolve the issue. For Tanzu RabbitMQ versions prior to 4.0.3, update to version 4.0.3 or later to resolve the issue. For Tanzu RabbitMQ versions prior to 3.13.8, update to version 3.13.8 or later to resolve the issue.