CVE-2025-53114

Name of the Vulnerable Software and Affected Versions CometD versions 5.0.x CometD versions 6.0.x CometD versions 8.0.x

Description Improper handling of the acknowledgement extension allows malicious clients to cause a server outage. By consistently sending a fixed batch value in the ext parameter (specifically ack: 1) during the connection to the '/meta/connect' endpoint, the unacknowledged message queue grows indefinitely. This leads to an OutOfMemoryError, a condition where the system cannot allocate more memory for its operations.

Recommendations Update CometD version 5.0.x to the patched version. Update CometD version 6.0.x to the patched version. Update CometD version 8.0.x to the patched version. As a temporary workaround, disable the acknowledgement extension.