A newly disclosed vulnerability in Apache ActiveMQ NMS OpenWire Client, tracked as CVE-2025-29953, allows remote attackers to execute arbitrary code on affected systems, raising significant security concerns for organizations relying on this popular messaging middleware.
Vulnerability Overview
The flaw, identified as ZDI-25-266 and ZDI-CAN-22235, affects Apache ActiveMQ NMS OpenWire Client versions before 2.1.1.
It arises from improper validation in the Body accessor method, which enables the deserialization of untrusted data.
This security lapse can be exploited when the client connects to a malicious or compromised server, allowing attackers to send specially crafted responses that trigger code execution within the context of the client application.
The vulnerability is classified as critical, with a CVSS score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its potential impact on confidentiality, integrity, and availability.
Attackers do not require authentication or user interaction to exploit the flaw, although the attack complexity is rated as high due to the need for interaction with the vulnerable library.
Technical Details
The root cause lies in deserialization flaws-specifically, the failure to adequately restrict what classes can be deserialized when receiving data from untrusted servers.
Although version 2.1.0 introduced an allow/denylist mechanism to mitigate such risks, researchers found that it could be bypassed, leaving systems exposed until version 2.1.1
Affected Products and Mitigation
- Affected Product: Apache ActiveMQ NMS OpenWire Client (versions before 2.1.1)
- Vendor: Apache Software Foundation
Apache has released an update (version 2.1.1) to address the vulnerability. Users are strongly urged to upgrade immediately.
As a temporary measure, organizations should avoid connecting to untrusted servers and implement network-level restrictions to limit exposure.
Disclosure Timeline
- 2023-11-28: Vulnerability reported to Apache
- 2025-04-30: Coordinated public release and advisory update
Security Guidance
Failing to address this vulnerability could result in full system compromise, data theft, or service disruption.
Organizations should prioritize patching, review their server trust policies, and monitor for suspicious activity related to messaging infrastructure.
For more details and official guidance, refer to the Apache advisory.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=The flaw, identified as ZDI-25-266 and ZDI-CAN-22235, affects Apache ActiveMQ NMS OpenWire Client versions before 2.1.1.){kind=link}