Description

Deserialization of Untrusted Data vulnerability in Apache ActiveMQ NMS OpenWire Client. This issue affects Apache ActiveMQ NMS OpenWire Client before 2.1.1 when performing connections to untrusted servers. Such servers could abuse the unbounded deserialization in the client to provide malicious responses that may eventually cause arbitrary code execution on the client. Version 2.1.0 introduced a allow/denylist feature to restrict deserialization, but this feature could be bypassed. The .NET team has deprecated the built-in .NET binary serialization feature starting with .NET 9 and suggests migrating away from binary serialization. The project is considering to follow suit and drop this part of the NMS API altogether. Users are recommended to upgrade to version 2.1.1, which fixes the issue. We also recommend to migrate away from relying on .NET binary serialization as a hardening method for the future.

INFO

Published Date :

2025-04-18T15:23:31.658Z

Last Modified :

2025-04-23T15:39:08.654Z

Source :

apache
AFFECTED PRODUCTS

The following products are affected by CVE-2025-29953 vulnerability.

Vendors Products
Apache
  • Activemq Nms Openwire
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-29953.

URL Resource
http://www.openwall.com/lists/oss-security/2025/04/18/3 cve-icon
https://lists.apache.org/thread/vc1sj9y3056d3kkhcvrs9fyw5w8kpmlx cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact