Ken- The severity is a 5.4
-Matt > On Mar 3, 2026, at 9:49 PM, Ken Liao <[email protected]> wrote: > > Thanks Christopher, > > Do we know the timeline of when will > https://www.cve.org/CVERecord?id=CVE-2025-66168 be published? And what is > the severity of this CVE? > > Ken > > On Tue, Mar 3, 2026 at 9:26 AM Christopher L. Shannon <[email protected]> > wrote: > >> Severity: >> >> Affected versions: >> >> - Apache ActiveMQ (org.apache.activemq:apache-activemq) before 5.19.2 >> - Apache ActiveMQ (org.apache.activemq:apache-activemq) 6.0.0 before 6.1.9 >> - Apache ActiveMQ (org.apache.activemq:apache-activemq) 6.2.0 before 6.2.1 >> - Apache ActiveMQ All Module (org.apache.activemq:activemq-all) before >> 5.19.2 >> - Apache ActiveMQ All Module (org.apache.activemq:activemq-all) 6.0.0 >> before 6.1.9 >> - Apache ActiveMQ All Module (org.apache.activemq:activemq-all) 6.2.0 >> before 6.2.1 >> - Apache ActiveMQ MQTT Module (org.apache.activemq:activemq-mqtt) before >> 5.19.2 >> - Apache ActiveMQ MQTT Module (org.apache.activemq:activemq-mqtt) 6.0.0 >> before 6.1.9 >> - Apache ActiveMQ MQTT Module (org.apache.activemq:activemq-mqtt) 6.2.0 >> before 6.2.1 >> >> Description: >> >> Apache ActiveMQ does not properly validate the remaining length field >> which may lead to an overflow during the decoding of malformed >> packets. When this integer overflow occurs, ActiveMQ may incorrectly >> compute the total Remaining Length and subsequently misinterpret the >> payload as multiple MQTT control packets which makes the broker susceptible >> to unexpected behavior when interacting with non-compliant clients. This >> behavior violates the MQTT v3.1.1 specification, which restricts Remaining >> Length to a maximum of 4 bytes. The scenario occurs on established >> connections after the authentication process. Brokers that are not enabling >> mqtt transport connectors are not impacted. >> >> This issue affects Apache ActiveMQ: before 5.19.2, 6.0.0 to 6.1.8, and >> 6.2.0 >> >> Users are recommended to upgrade to version 5.19.2, 6.1.9, or 6.2.1, which >> fixes the issue. >> >> Credit: >> >> Gai Tanaka <[email protected]> (finder) >> >> References: >> >> https://activemq.apache.org/ >> https://www.cve.org/CVERecord?id=CVE-2025-66168 >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [email protected] >> For additional commands, e-mail: [email protected] >> For further information, visit: https://activemq.apache.org/contact >> >> >> --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] For further information, visit: https://activemq.apache.org/contact
