CVE-2025-66168

Name of the Vulnerable Software and Affected Versions Apache ActiveMQ versions prior to 5.19.2 Apache ActiveMQ versions 6.0.0 through 6.1.8 Apache ActiveMQ version 6.2.0

Description Apache ActiveMQ does not properly validate the remaining length field, potentially leading to an integer overflow during the decoding of malformed packets. This overflow can cause ActiveMQ to miscalculate the total Remaining Length and incorrectly interpret the payload as multiple MQTT control packets, resulting in unexpected behavior when interacting with non-compliant clients. This violates the MQTT v3.1.1 specification, which limits Remaining Length to a maximum of 4 bytes. The issue occurs on established connections after authentication. Brokers not using mqtt transport connectors are not impacted.

Recommendations Upgrade to Apache ActiveMQ version 5.19.2. Upgrade to Apache ActiveMQ version 6.1.9. Upgrade to Apache ActiveMQ version 6.2.1.