Impact
The vulnerability is a memory allocation with excessive size value flaw in the OpenWire message property map unmarshalling process of Apache ActiveMQ. A crafted OpenWire message with a huge encoded size can cause the broker to attempt an enormous allocation, resulting in an out‑of‑memory condition that crashes the service. Because the broker is responsible for message routing, its failure disrupts all clients connected to the system, effectively denying legitimate users access to the messaging service. The weakness is a classic case of CWE‑789: Uncontrolled Memory Allocation.
Affected Systems
Affected vendors include the Apache Software Foundation’s Apache ActiveMQ platform, covering the core broker, as well as the ActiveMQ All distribution and the ActiveMQ Client libraries. Versions prior to 5.19.8 and all 6.0.0 releases up through 6.2.6 are vulnerable; 5.19.8 and 6.2.7 contain the fix.
Risk and Exploitability
The issue requires an authenticated connection to the ActiveMQ broker, so an attacker must first obtain valid credentials or have access to a client with authentication enabled. From that position, the attacker can send a single specially crafted message to trigger the crash. The CVSS score of 7.5 signals high severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. The lack of input size validation suggests a high likelihood of successful exploitation in a hostile environment; this is inferred from the description. The broker offers no native guard against the overlarge allocation, so the denial of service can be manually precipitated whenever the attacker can access the broker.
OpenCVE Enrichment