PT-2025-42438 · Apache · Apache Activemq Nms Amqp Client
Published
2025-10-16
·
Updated
2026-06-01
·
CVE-2025-54539
CVSS v3.1
10
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Apache ActiveMQ NMS AMQP versions prior to 2.4.0
Description
A deserialization of untrusted data issue exists in the Apache ActiveMQ NMS AMQP Client. Malicious servers can exploit unbounded deserialization logic to craft responses that may lead to arbitrary code execution on the client side when the client establishes connections to untrusted AMQP servers. Although a mechanism to restrict deserialization via allow/deny lists was introduced in version 2.1.0, this protection can be bypassed under certain conditions.
Recommendations
Upgrade to version 2.4.0 or later.
Migrate away from .NET binary serialization as a long-term hardening strategy.
Fix
RCE
Deserialization of Untrusted Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Activemq Nms Amqp Client