CVE-2025-29953: Apache ActiveMQ NMS OpenWire Client: deserialization allowlist bypass
First published: Fri Apr 18 2025(Updated: )
Deserialization of Untrusted Data vulnerability in Apache ActiveMQ NMS OpenWire Client. This issue affects Apache ActiveMQ NMS OpenWire Client before 2.1.1 when performing connections to untrusted servers. Such servers could abuse the unbounded deserialization in the client to provide malicious responses that may eventually cause arbitrary code execution on the client. Version 2.1.0 introduced a allow/denylist feature to restrict deserialization, but this feature could be bypassed. The .NET team has deprecated the built-in .NET binary serialization feature starting with .NET 9 and suggests migrating away from binary serialization. The project is considering to follow suit and drop this part of the NMS API altogether. Users are recommended to upgrade to version 2.1.1, which fixes the issue. We also recommend to migrate away from relying on .NET binary serialization as a hardening method for the future.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache ActiveMQ NMS OpenWire Client | <2.1.1 | |
| nuget/Apache.NMS.ActiveMQ | <2.1.1 | 2.1.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://lists.apache.org/thread/vc1sj9y3056d3kkhcvrs9fyw5w8kpmlx
- http://www.openwall.com/lists/oss-security/2025/04/18/3
- https://nvd.nist.gov/vuln/detail/CVE-2025-29953
- https://github.com/apache/activemq-nms-openwire/commit/8944c41
- https://issues.apache.org/jira/browse/AMQNET-844
- https://github.com/advisories/GHSA-9g64-r942-fvmp (Advisory)
Frequently Asked Questions
What is the severity of CVE-2025-29953?
CVE-2025-29953 is classified as a critical vulnerability due to the potential for remote code execution via untrusted data deserialization.
How do I fix CVE-2025-29953?
To mitigate CVE-2025-29953, update Apache ActiveMQ NMS OpenWire Client to version 2.1.1 or later.
Which versions of Apache ActiveMQ NMS OpenWire Client are affected by CVE-2025-29953?
CVE-2025-29953 affects Apache ActiveMQ NMS OpenWire Client versions prior to 2.1.1.
What are the impacts of CVE-2025-29953 on my system?
Exploitation of CVE-2025-29953 can lead to unauthorized code execution and potential system compromise.
Is there a way to mitigate the risk of CVE-2025-29953 without an immediate upgrade?
As a temporary measure, ensure connections are made only to trusted servers and limit exposure to untrusted data.
- agent/weakness
- agent/title
- agent/type
- agent/description
- agent/first-publish-date
- collector/oss-sec
- source/oss-sec
- alias/CVE-2025-29953
- agent/guess-ai
- agent/software-canonical-lookup
- agent/author
- collector/mitre-cve
- source/MITRE
- collector/nvd-api
- source/NVD
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-9g64-r942-fvmp
- agent/last-modified-date
- agent/references
- agent/source
- agent/softwarecombine
- agent/tags
- agent/severity
- agent/event
- agent/trending
- collector/nvd-cve
- vendor/apache
- canonical/apache activemq nms openwire client
- package-manager/nuget