Thanks Christopher, Do we know the timeline of when will https://www.cve.org/CVERecord?id=CVE-2025-66168 be published? And what is the severity of this CVE?
Ken On Tue, Mar 3, 2026 at 9:26 AM Christopher L. Shannon <[email protected]> wrote: > Severity: > > Affected versions: > > - Apache ActiveMQ (org.apache.activemq:apache-activemq) before 5.19.2 > - Apache ActiveMQ (org.apache.activemq:apache-activemq) 6.0.0 before 6.1.9 > - Apache ActiveMQ (org.apache.activemq:apache-activemq) 6.2.0 before 6.2.1 > - Apache ActiveMQ All Module (org.apache.activemq:activemq-all) before > 5.19.2 > - Apache ActiveMQ All Module (org.apache.activemq:activemq-all) 6.0.0 > before 6.1.9 > - Apache ActiveMQ All Module (org.apache.activemq:activemq-all) 6.2.0 > before 6.2.1 > - Apache ActiveMQ MQTT Module (org.apache.activemq:activemq-mqtt) before > 5.19.2 > - Apache ActiveMQ MQTT Module (org.apache.activemq:activemq-mqtt) 6.0.0 > before 6.1.9 > - Apache ActiveMQ MQTT Module (org.apache.activemq:activemq-mqtt) 6.2.0 > before 6.2.1 > > Description: > > Apache ActiveMQ does not properly validate the remaining length field > which may lead to an overflow during the decoding of malformed > packets. When this integer overflow occurs, ActiveMQ may incorrectly > compute the total Remaining Length and subsequently misinterpret the > payload as multiple MQTT control packets which makes the broker susceptible > to unexpected behavior when interacting with non-compliant clients. This > behavior violates the MQTT v3.1.1 specification, which restricts Remaining > Length to a maximum of 4 bytes. The scenario occurs on established > connections after the authentication process. Brokers that are not enabling > mqtt transport connectors are not impacted. > > This issue affects Apache ActiveMQ: before 5.19.2, 6.0.0 to 6.1.8, and > 6.2.0 > > Users are recommended to upgrade to version 5.19.2, 6.1.9, or 6.2.1, which > fixes the issue. > > Credit: > > Gai Tanaka <[email protected]> (finder) > > References: > > https://activemq.apache.org/ > https://www.cve.org/CVERecord?id=CVE-2025-66168 > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > For further information, visit: https://activemq.apache.org/contact > > >
