Impact
CometD implements comet-based web messaging. Versions 5.0.0‑5.0.22, 6.0.0‑6.0.18, 7.0.0‑7.0.18, and 8.0.0‑8.0.8 contain a flaw in the acknowledgment extension. Clients that continuously send a fixed batch value cause the server’s unacknowledged message queue to grow without bound, eventually triggering an OutOfMemoryError and crashing the JVM. This resource‑exhaustion weakness (CWE‑400) results in a denial of service that brings the messaging service and any dependent applications offline.
Affected Systems
Affected products are the CometD library versions listed above. The vendor product is CometD. Versions 5.0.0 to 5.0.22, 6.0.0 to 6.0.18, 7.0.0 to 7.0.18, and 8.0.0 to 8.0.8 are impacted. CometD 5.0.23, 6.0.19, 7.0.19, and 8.0.9 or newer contain the fix.
Risk and Exploitability
The CVSS base score of 7.5 indicates a high‑impact denial‑of‑service scenario. EPSS information is not available, so the exploitation probability cannot be quantified, and the vulnerability is not listed in CISA KEV. The likely attack vector is remote clients exploiting the messaging protocol; an attacker only needs to act as a client that repeatedly sends the same batch value while the server uses the acknowledgment extension. When these conditions are met, an attacker can rapidly consume memory and crash the server.
OpenCVE Enrichment
Github GHSA