CVE-2025-66168 | THREATINT

Description

Apache ActiveMQ does not properly validate the remaining length field which may lead to an overflow during the decoding of malformed packets. When this integer overflow occurs, ActiveMQ may incorrectly compute the total Remaining Length and subsequently misinterpret the payload as multiple MQTT control packets which makes the broker susceptible to unexpected behavior when interacting with non-compliant clients. This behavior violates the MQTT v3.1.1 specification, which restricts Remaining Length to a maximum of 4 bytes. The scenario occurs on established connections after the authentication process. Brokers that are not enabling mqtt transport connectors are not impacted. This issue affects Apache ActiveMQ: before 5.19.2, 6.0.0 to 6.1.8, and 6.2.0 Users are recommended to upgrade to version 5.19.2, 6.1.9, or 6.2.1, which fixes the issue.

PUBLISHED Reserved 2025-11-21 | Published 2026-03-04 | Updated 2026-03-04 | Assigner apache

MEDIUM: 5.4CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:F/RL:O/RC:C

Problem types

CWE-190 Integer Overflow or Wraparound

Product status

Default status

unaffected

Any version before 5.19.2

affected

6.0.0 (semver) before 6.1.9

affected

6.2.0 (semver) before 6.2.1

affected

Default status

unaffected

Any version before 5.19.2

affected

6.0.0 (semver) before 6.1.9

affected

6.2.0 (semver) before 6.2.1

affected

Default status

unaffected

Any version before 5.19.2

affected

6.0.0 (semver) before 6.1.9

affected

6.2.0 (semver) before 6.2.1

affected

Credits

Gai Tanaka <641.work123@gmail.com> finder

References

www.openwall.com/lists/oss-security/2026/03/03/5

lists.apache.org/thread/13n8mkrb2jf2y6yyhpgrkmpqcm7djyto vendor-advisory

cve.org (CVE-2025-66168)

nvd.nist.gov (CVE-2025-66168)

Download JSON