PT-2025-17306 · Apache · Apache Activemq Nms Openwire Client
G7Shot
·
Published
2025-04-18
·
Updated
2025-05-05
·
CVE-2025-29953
CVSS v2.0
10
Critical
| Vector | AV:N/AC:L/Au:N/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
Apache ActiveMQ NMS OpenWire Client versions prior to 2.1.1
Description
The issue affects the Apache ActiveMQ NMS OpenWire Client when connecting to untrusted servers, allowing these servers to potentially abuse unbounded deserialization in the client. This could lead to malicious responses causing arbitrary code execution on the client. The .NET team has deprecated the built-in .NET binary serialization feature, and the project is considering dropping this part of the NMS API.
Recommendations
Upgrade to version 2.1.1 to fix the issue.
Migrate away from relying on .NET binary serialization as a hardening method for the future.
Fix
RCE
Deserialization of Untrusted Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Activemq Nms Openwire Client