Also it looks like the link is now active. On Wed, Mar 4, 2026 at 3:02 PM Ken Liao <[email protected]> wrote:
> Thanks Matt! > > On Wed, Mar 4, 2026 at 6:47 AM Matt Pavlovich <[email protected]> wrote: > > > Ken- > > > > The severity is a 5.4 > > > > -Matt > > > > > On Mar 3, 2026, at 9:49 PM, Ken Liao <[email protected]> wrote: > > > > > > Thanks Christopher, > > > > > > Do we know the timeline of when will > > > https://www.cve.org/CVERecord?id=CVE-2025-66168 be published? And what > > is > > > the severity of this CVE? > > > > > > Ken > > > > > > On Tue, Mar 3, 2026 at 9:26 AM Christopher L. Shannon < > > [email protected]> > > > wrote: > > > > > >> Severity: > > >> > > >> Affected versions: > > >> > > >> - Apache ActiveMQ (org.apache.activemq:apache-activemq) before 5.19.2 > > >> - Apache ActiveMQ (org.apache.activemq:apache-activemq) 6.0.0 before > > 6.1.9 > > >> - Apache ActiveMQ (org.apache.activemq:apache-activemq) 6.2.0 before > > 6.2.1 > > >> - Apache ActiveMQ All Module (org.apache.activemq:activemq-all) before > > >> 5.19.2 > > >> - Apache ActiveMQ All Module (org.apache.activemq:activemq-all) 6.0.0 > > >> before 6.1.9 > > >> - Apache ActiveMQ All Module (org.apache.activemq:activemq-all) 6.2.0 > > >> before 6.2.1 > > >> - Apache ActiveMQ MQTT Module (org.apache.activemq:activemq-mqtt) > before > > >> 5.19.2 > > >> - Apache ActiveMQ MQTT Module (org.apache.activemq:activemq-mqtt) > 6.0.0 > > >> before 6.1.9 > > >> - Apache ActiveMQ MQTT Module (org.apache.activemq:activemq-mqtt) > 6.2.0 > > >> before 6.2.1 > > >> > > >> Description: > > >> > > >> Apache ActiveMQ does not properly validate the remaining length field > > >> which may lead to an overflow during the decoding of malformed > > >> packets. When this integer overflow occurs, ActiveMQ may incorrectly > > >> compute the total Remaining Length and subsequently misinterpret the > > >> payload as multiple MQTT control packets which makes the broker > > susceptible > > >> to unexpected behavior when interacting with non-compliant clients. > This > > >> behavior violates the MQTT v3.1.1 specification, which restricts > > Remaining > > >> Length to a maximum of 4 bytes. The scenario occurs on established > > >> connections after the authentication process. Brokers that are not > > enabling > > >> mqtt transport connectors are not impacted. > > >> > > >> This issue affects Apache ActiveMQ: before 5.19.2, 6.0.0 to 6.1.8, and > > >> 6.2.0 > > >> > > >> Users are recommended to upgrade to version 5.19.2, 6.1.9, or 6.2.1, > > which > > >> fixes the issue. > > >> > > >> Credit: > > >> > > >> Gai Tanaka <[email protected]> (finder) > > >> > > >> References: > > >> > > >> https://activemq.apache.org/ > > >> https://www.cve.org/CVERecord?id=CVE-2025-66168 > > >> > > >> > > >> --------------------------------------------------------------------- > > >> To unsubscribe, e-mail: [email protected] > > >> For additional commands, e-mail: [email protected] > > >> For further information, visit: https://activemq.apache.org/contact > > >> > > >> > > >> > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] > > For additional commands, e-mail: [email protected] > > For further information, visit: https://activemq.apache.org/contact > > > > > > >
