Apache ActiveMQ Vulnerability Enables DoS Attacks via Malformed Packets
A newly disclosed vulnerability in Apache ActiveMQ exposes brokers to denial-of-service (DoS) conditions through malformed MQTT packets, posing a risk to enterprise messaging infrastructure worldwide.
Tracked as CVE-2025-66168, the flaw stems from improper validation of the MQTT protocol’s Remaining Length field, leading to an integer overflow during packet decoding.
Apache ActiveMQ fails to properly validate the Remaining Length field in MQTT packets, a critical component defined by the MQTT v3.1.1 specification, which restricts this field to a maximum of 4 bytes. When a malformed packet with an out-of-spec Remaining Length value is received, ActiveMQ performs an integer overflow during decoding.
As a result, the broker miscalculates the total Remaining Length and misinterprets the payload as multiple MQTT control packets. This unexpected parsing behavior causes the broker to act on malformed or phantom control packets, making it susceptible to instability, crashes, or disruptions to message delivery conditions, consistent with a denial-of-service attack.
The vulnerability is triggered on established connections and only after authentication; an attacker first establishes a valid session before exploiting the flaw.
However, this does not significantly reduce risk in environments with broad or weakly controlled access. Importantly, brokers that have not enabled MQTT transport connectors are not affected by this issue. Security researcher Gai Tanaka was credited with discovering and reporting the vulnerability to the Apache Security Team.
Affected Versions
- Apache ActiveMQ (apache-activemq): before 5.19.2, versions 6.0.0 through 6.1.8, and version 6.2.0
- Apache ActiveMQ All Module (activemq-all): before 5.19.2, versions 6.0.0 through 6.1.8, and version 6.2.0
- Apache ActiveMQ MQTT Module (activemq-mqtt): before 5.19.2, versions 6.0.0 through 6.1.8, and version 6.2.0
Apache ActiveMQ is one of the most widely deployed open-source message brokers, used in financial services, healthcare, telecommunications, and enterprise application integration pipelines.
Any disruption to messaging infrastructure can cascade into broader service outages, making DoS vulnerabilities in this context particularly severe.
ActiveMQ has historically been a high-value target for threat actors. Previous critical vulnerabilities, including CVE-2023-46604, were actively exploited within days of public disclosure to deploy ransomware and remote access tools.
While CVE-2025-66168 is limited to DoS impact rather than remote code execution, organizations should treat it with urgency given ActiveMQ’s track record as an exploitation target, according to Apache.
The violation of the MQTT v3.1.1 specification in this case also raises concerns about protocol conformance testing in broker implementations, which could indicate a broader class of parsing vulnerabilities worth auditing.
Mitigation
The Apache Software Foundation has released patched versions addressing the vulnerability. Users are strongly recommended to upgrade immediately to one of the following fixed releases: 5.19.2, 6.1.9, or 6.2.1.
Organizations that cannot iatch simmediately should enableMQTT transport connectors as a ttemporary measure; thisflaw does not impact brokers without MQTT eenabled
Site: cybersecuritypath.com
About the Author
