Listen to this Post
CVE-2025-53114 targets CometD’s message acknowledgement extension, which ensures reliable delivery of server-to-client messages. The flaw arises when a client deliberately submits a fixed “batch value” within its `/meta/connect` request during each long-polling cycle. In the CometD protocol, the server expects the client to provide an acknowledgement ID that advances, allowing the server to drop messages that have been safely received. When a malicious client always sends the same batch value—for example, always including { "ack": 1 }—the server’s internal logic fails to evict any entries from the unacknowledged message queue. Messages accumulate in the queue without bound, consuming heap memory until the server throws an OutOfMemoryError. The attack does not require a large number of connections; a single misbehaving client can exhaust the server’s memory and cause a full denial of service. The vulnerability affects all CometD Java server versions from 5.0.0 up to the following releases: 5.0.22, 6.0.18, 7.0.18, and 8.0.8. Patches were backported to all supported branches, and the advisory recommends either upgrading or completely disabling the vulnerable extension. The issue was assigned a CVSS base score of 7.5 (High) because the attack vector is network‑based, requires no privileges or user interaction, and leads to a complete denial of service.
DailyCVE Form:
Platform: CometD Java
Version: 5.0.0 – 8.0.8
Vulnerability : ACK Extension OOM
Severity: High (7.5)
date: Jun 10, 2026
Prediction: Aug 19, 2025
What Undercode Say:
Check current CometD version (Maven-based project) mvn dependency:tree | grep cometd-java-server
// Simulate a malicious client that always sends a fixed batch value
Map<String, Object> fixedBatch = new HashMap<>();
fixedBatch.put("channel", "/meta/connect");
Map<String, Object> ext = new HashMap<>();
ext.put("ack", 1); // Never increments
fixedBatch.put("ext", ext);
// Send this /meta/connect repeatedly via WebSocket or HTTP long-poll
while (true) {
client.send(fixedBatch);
Thread.sleep(1000);
}
Exploit:
An attacker can implement a custom CometD client that never increments the `ack` field. For each long‑poll or WebSocket /meta/connect, the client includes ext: { ack: 1 }. The server’s `AcknowledgedMessagesSessionExtension` sees that the value never changes and therefore never removes delivered messages from the per‑session queue. After enough messages are queued (for example, a few thousand messages), the server enters a GC thrashing state and eventually crashes with an OutOfMemoryError. A single malicious session is sufficient to take down an entire CometD instance, making the exploitation trivial for any attacker who can connect to the public Bayeux endpoint.
Protection:
- Upgrade to a patched version: 5.0.23, 6.0.19, 7.0.19, 8.0.9, or any later release.
- If immediate upgrade is not possible, disable the acknowledgement extension by removing `AcknowledgedMessagesSessionExtension` from the `BayeuxServer` configuration.
- Apply a custom `Extension` that validates the `ack` value increases monotonically and discards connections that violate this rule.
- Monitor server memory metrics for abnormal growth in the unacknowledged queue size.
Impact:
Successful exploitation leads to a complete denial of service of the CometD server. The memory exhaustion can cascade to other services hosted on the same JVM, affecting the entire application. No data corruption or privilege escalation occurs, but the service becomes unavailable until a restart. In highly available clusters, an attacker can sequentially target each node, causing a full cluster outage.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
