Description
CometD is a scalable comet implementation for web messaging. In versions 5.0.0 through 5.0.22, 6.0.0 through 6.0.18, 7.0.0 through 7.0.18, and 8.0.0 through 8.0.8, bad clients that always send a fixed batch value when the server is using the acknowledgement extension may cause the unacknowledged message queue to grow indefinitely, eventually causing an `OutOfMemoryError`. Versions 5.0.23, 6.0.19, 7.0.19, and 8.0.9 patch the issue. As a workaround, disable the acknowledgement extension.
Published: 2026-06-18
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

CometD implements comet-based web messaging. Versions 5.0.0‑5.0.22, 6.0.0‑6.0.18, 7.0.0‑7.0.18, and 8.0.0‑8.0.8 contain a flaw in the acknowledgment extension. Clients that continuously send a fixed batch value cause the server’s unacknowledged message queue to grow without bound, eventually triggering an OutOfMemoryError and crashing the JVM. This resource‑exhaustion weakness (CWE‑400) results in a denial of service that brings the messaging service and any dependent applications offline.

Affected Systems

Affected products are the CometD library versions listed above. The vendor product is CometD. Versions 5.0.0 to 5.0.22, 6.0.0 to 6.0.18, 7.0.0 to 7.0.18, and 8.0.0 to 8.0.8 are impacted. CometD 5.0.23, 6.0.19, 7.0.19, and 8.0.9 or newer contain the fix.

Risk and Exploitability

The CVSS base score of 7.5 indicates a high‑impact denial‑of‑service scenario. EPSS information is not available, so the exploitation probability cannot be quantified, and the vulnerability is not listed in CISA KEV. The likely attack vector is remote clients exploiting the messaging protocol; an attacker only needs to act as a client that repeatedly sends the same batch value while the server uses the acknowledgment extension. When these conditions are met, an attacker can rapidly consume memory and crash the server.

Generated by OpenCVE AI on June 18, 2026 at 17:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade CometD to a patched version (5.0.23 or newer, 6.0.19, 7.0.19, or 8.0.9+).
  • Disable the acknowledgment extension in the server configuration if upgrading is not immediately possible, following the official workaround.
  • Track JVM memory usage and application logs for OutOfMemoryError signs to detect exploitation attempts.

Generated by OpenCVE AI on June 18, 2026 at 17:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-cqgj-h8vf-4w59 Acknowledgement extension out of memory
History

Thu, 18 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 18 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Cometd
Cometd cometd
Vendors & Products Cometd
Cometd cometd

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description CometD is a scalable comet implementation for web messaging. In versions 5.0.0 through 5.0.22, 6.0.0 through 6.0.18, 7.0.0 through 7.0.18, and 8.0.0 through 8.0.8, bad clients that always send a fixed batch value when the server is using the acknowledgement extension may cause the unacknowledged message queue to grow indefinitely, eventually causing an `OutOfMemoryError`. Versions 5.0.23, 6.0.19, 7.0.19, and 8.0.9 patch the issue. As a workaround, disable the acknowledgement extension.
Title CometD has acknowledgement extension out of memory
Weaknesses CWE-400
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-18T17:33:39.552Z

Reserved: 2025-06-25T13:41:23.088Z

Link: CVE-2025-53114

cve-icon Vulnrichment

Updated: 2026-06-18T17:31:30.370Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T18:00:11Z

Weaknesses
  • CWE-400

    Uncontrolled Resource Consumption