Apache · Apache Activemq · CVE-2015-5254
**Name of the Vulnerable Software and Affected Versions**
Apache ActiveMQ versions prior to 5.13.0
**Description**
The Java Message Service (JMS) in the broker fails to restrict the classes that can be serialized, leading to unsafe deserialization. This lack of input validation allows a remote attacker to execute arbitrary code by sending a specially crafted serialized `ObjectMessage` object.
**Recommendations**
Update to version 5.13.0 or later.