Apache ActiveMQ, Integer Overflow, CVE-2025-66168 (Medium)

Listen to this Post

The vulnerability, discovered by Gai Tanaka, exists in the MQTT module of Apache ActiveMQ . It stems from improper validation of the “remaining length” field in MQTT control packets . According to the MQTT v3.1.1 specification, this field is restricted to a maximum of 4 bytes . However, when ActiveMQ decodes a malformed packet, the lack of validation can cause an integer overflow in the calculation of the total remaining length . As a result of this miscalculation, the broker misinterprets the single malicious payload as multiple different MQTT control packets . This behavior violates the protocol specification and leads to unexpected broker behavior, potentially disrupting message handling . The attack vector requires an established connection, meaning the attacker must first complete the authentication process . Furthermore, the broker is only susceptible if the MQTT transport connectors are explicitly enabled; brokers without this feature are not impacted . This flaw affects Apache ActiveMQ versions before 5.19.2, 6.0.0 to 6.1.8, and 6.2.0 . The issue is fixed in versions 5.19.2, 6.1.9, and 6.2.1 . The vulnerability has a CVSS base score of 5.4, classifying it as a medium-severity issue .
Platform: Apache ActiveMQ
Version: <5.19.2,6.0.0-6.1.8,6.2.0
Vulnerability : MQTT Integer Overflow
Severity: Medium (5.4)
date: 2026-03-04

Prediction: Patches already released

What Undercode Say:

Analytics:

To check the version of ActiveMQ, you can often look at the filenames in the installation directory or use a command-line tool if available. For example, if ActiveMQ is running, you might check the version from the lib directory:

Example: Check the ActiveMQ JAR file version
ls -la /path/to/activemq/lib/activemq-broker-.jar
Or, if ActiveMQ is running, you could check the status page or
use curl to get the version from the web console (if enabled and accessible)
curl -s http://localhost:8161/api/jolokia/read/org.apache.activemq:type=Broker,brokerName=localhost,service=Health/CurrentStatus | jq '.value.version'
For Ubuntu/Debian packages, use:
dpkg -l | grep activemq
For RHEL/CentOS, use:
rpm -qa | grep activemq

Exploit:

While a full exploit script is not provided, the concept involves a crafted MQTT packet. A malicious client, after authenticating, would send a CONNECT or other control packet with a malformed “Remaining Length” field. The field is encoded using a variable-length scheme. The exploit would manipulate the continuation bit or the value itself to cause an integer overflow when the broker calculates the total length. For example, setting a remaining length that, when added to the fixed header, exceeds the integer limit, leading to a small, incorrect value and causing the parser to read subsequent data as new packets.

Pseudocode concept for a malformed MQTT packet builder
def build_malformed_packet():
Fixed header: 0x10 = CONNECT, 0x?? = malformed remaining length
The remaining length field should be 1-4 bytes with the top bit set for continuation.
Malformed case: Provide a value that causes overflow in the broker's calculation.
e.g., a remaining length that is extremely large but encoded in a way that the
overflow wraps it to a small number.
malformed_length_bytes = b'\xFF\xFF\xFF\x7F' Example that could trigger overflow
fixed_header = b'\x10' + malformed_length_bytes
The actual payload would be shorter than the claimed length, leading to parsing errors.
return fixed_header + b'\x00\x04MQTT\x04\x02\x00\x3C'

Protection:

The primary protection is to upgrade to a patched version.

Upgrade using package manager (example for Debian/Ubuntu)
sudo apt update
sudo apt install activemq
Or, download and replace the binaries manually from the official Apache archive.
As a temporary mitigation, disable the MQTT transport connector in the ActiveMQ configuration file (activemq.xml).
Find and comment out or remove the MQTT transport connector line:
<transportConnector name="mqtt" uri="mqtt://0.0.0.0:1883?maximumConnections=1000&wireFormat.maxFrameSize=104857600"/>
After modification, restart the ActiveMQ service:
sudo systemctl restart activemq
Verify MQTT is disabled:
netstat -tulpn | grep 1883

Impact:

A successful exploit allows an authenticated attacker to cause a denial of service (DoS) by disrupting the normal message handling of the broker . It can lead to unexpected broker behavior, potentially corrupting the message flow for other clients and violating the MQTT specification . The impact is limited to confidentiality and integrity (C:L/I:L) with no availability impact listed in the CVSS, but the unexpected behavior can effectively degrade or halt reliable messaging . Brokers without MQTT enabled are not affected .

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top