SecuriTricks - CVE-2025-29953

Description

Deserialization of Untrusted Data vulnerability in Apache ActiveMQ NMS OpenWire Client. This issue affects Apache ActiveMQ NMS OpenWire Client before 2.1.1 when performing connections to untrusted servers. Such servers could abuse the unbounded deserialization in the client to provide malicious responses that may eventually cause arbitrary code execution on the client. Version 2.1.0 introduced a allow/denylist feature to restrict deserialization, but this feature could be bypassed. The .NET team has deprecated the built-in .NET binary serialization feature starting with .NET 9 and suggests migrating away from binary serialization. The project is considering to follow suit and drop this part of the NMS API altogether. Users are recommended to upgrade to version 2.1.1, which fixes the issue. We also recommend to migrate away from relying on .NET binary serialization as a hardening method for the future.

Product(s) Impacted

Vendor	Product	Versions
Apache	Activemq Nms Openwire Client	<2.1.1, 2.1.1

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-502

Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	apache	activemq_nms_openwire_client	<2.1.1	/	/	/	/	/	/	/
a	apache	activemq_nms_openwire_client	2.1.1	/	/	/	/	/	/	/

References

https://lists.apache.org/thread/vc1sj9y3056d3kkhcvrs9fyw5w8kpmlx

http://www.openwall.com/lists/oss-security/2025/04/18/3

Timeline

Published: April 18, 2025, 4:15 p.m.
Last Modified: April 18, 2025, 6:15 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security@apache.org

CVE-2025-29953