Impact
An unauthenticated client that opens a STOMP NIO connection can send an unbounded stream of header bytes that never terminate. The broker then allocates buffer space for those bytes without any limit, which can exhaust the JVM heap and destabilize the instance. The vulnerability is a memory allocation with excessive size issue (CWE-789) that effectively causes a denial of service, potentially affecting all broker operations. The described attack does not require authentication, which makes it highly exploitable from any network that can reach a STOMP endpoint.
Affected Systems
Apache Software Foundation product web pages indicate that all three products—Apache ActiveMQ, Apache ActiveMQ All, and Apache ActiveMQ Stomp—are affected when the version is older than 5.19.8 or older than 6.2.7. Users running any impacted release prior to the specified patch versions are at risk. No other sub‑product variants or versions are mentioned in the advisory.
Risk and Exploitability
The CVSS score of 7.5 indicates a high severity risk, while EPSS is not available and the vulnerability is not listed in the CISA KEV catalog. Because the flaw permits an unauthenticated client to send an infinite header stream, it can exhaust the JVM heap and cause the broker to crash or become unresponsive. The attack requires only a valid STOMP connection and no privileged state, making it straightforward for any remote actor with network access to launch the denial. Until the update is applied, the threat remains present.
OpenCVE Enrichment