Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.8
Apache ActiveMQ: Malformed Packets Can Cause Unexpected Behavior
CVE-2025-66168
GHSA-c825-6ph3-4h84
GHSA-c825-6ph3-4h84
Summary
Apache ActiveMQ, a message broker, may misinterpret certain types of packets sent by clients. This could cause unexpected behavior when communicating with non-compliant clients. To fix this issue, update to version 5.19.2, 6.1.9, or 6.2.1.
What to do
- Update apache org.apache.activemq:apache-activemq to version 5.19.2.
- Update apache org.apache.activemq:apache-activemq to version 6.1.9.
- Update apache org.apache.activemq:apache-activemq to version 6.2.1.
- Update apache org.apache.activemq:activemq-all to version 5.19.2.
- Update apache org.apache.activemq:activemq-all to version 6.1.9.
- Update apache org.apache.activemq:activemq-all to version 6.2.1.
- Update apache org.apache.activemq:activemq-mqtt to version 5.19.2.
- Update apache org.apache.activemq:activemq-mqtt to version 6.1.9.
- Update apache org.apache.activemq:activemq-mqtt to version 6.2.1.
- Update activemq to version 6.2.1.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| apache | org.apache.activemq:apache-activemq | <= 5.19.2 | 5.19.2 |
| apache | org.apache.activemq:apache-activemq | > 6.0.0 , <= 6.1.9 | 6.1.9 |
| apache | org.apache.activemq:apache-activemq | 6.2.0 | 6.2.1 |
| apache | org.apache.activemq:activemq-all | <= 5.19.2 | 5.19.2 |
| apache | org.apache.activemq:activemq-all | > 6.0.0 , <= 6.1.9 | 6.1.9 |
| apache | org.apache.activemq:activemq-all | 6.2.0 | 6.2.1 |
| apache | org.apache.activemq:activemq-mqtt | <= 5.19.2 | 5.19.2 |
| apache | org.apache.activemq:activemq-mqtt | > 6.0.0 , <= 6.1.9 | 6.1.9 |
| apache | org.apache.activemq:activemq-mqtt | 6.2.0 | 6.2.1 |
| apache | activemq | <= 5.19.2 | – |
| apache | activemq | > 6.0.0 , <= 6.1.9 | – |
| apache | activemq | 6.2.0 | – |
| – | activemq | > 6.2.0 , <= 6.2.1 | 6.2.1 |
| apache | org.apache.activemq:apache-activemq | > 6.2.0 , <= 6.2.1 | 6.2.1 |
| apache | org.apache.activemq:activemq-all | > 6.2.0 , <= 6.2.1 | 6.2.1 |
| apache | org.apache.activemq:activemq-mqtt | > 6.2.0 , <= 6.2.1 | 6.2.1 |
| apache | activemq | > 6.0.0 , <= 6.1.8 | – |
Original title
Apache ActiveMQ does not properly validate the remaining length field which may lead to an overflow during the decoding of malformed packets. When this integer overflow occurs, ActiveMQ may incorre...
Original description
Apache ActiveMQ does not properly validate the remaining length field which may lead to an overflow during the decoding of malformed packets. When this integer overflow occurs, ActiveMQ may incorrectly compute the total Remaining Length and subsequently misinterpret the payload as multiple MQTT control packets which makes the broker susceptible to unexpected behavior when interacting with non-compliant clients. This behavior violates the MQTT v3.1.1 specification, which restricts Remaining Length to a maximum of 4 bytes. The scenario occurs on established connections after the authentication process. Brokers that are not enabling mqtt transport connectors are not impacted.
This issue affects Apache ActiveMQ: before 5.19.2, 6.0.0 to 6.1.8, and 6.2.0
Users are recommended to upgrade to version 5.19.2, 6.1.9, or 6.2.1, which fixes the issue.
This issue affects Apache ActiveMQ: before 5.19.2, 6.0.0 to 6.1.8, and 6.2.0
Users are recommended to upgrade to version 5.19.2, 6.1.9, or 6.2.1, which fixes the issue.
nvd CVSS3.1
8.8
Vulnerability type
CWE-190
Integer Overflow
- https://lists.apache.org/thread/13n8mkrb2jf2y6yyhpgrkmpqcm7djyto Mailing List Vendor Advisory
- http://www.openwall.com/lists/oss-security/2026/03/03/5 Mailing List Third Party Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2025-66168
- https://github.com/advisories/GHSA-c825-6ph3-4h84
- https://github.com/apache/activemq Product
Published: 4 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026