Apache ActiveMQ NMS AMQP Client Deserialization Vulnerability Leading to Arbitrary Code Execution
Vulnerability
A deserialization vulnerability allowing untrusted data to be processed has been identified in the Apache ActiveMQ NMS AMQP Client, affecting all versions through 2.3.0. This vulnerability arises when the client connects to untrusted AMQP servers, where malicious servers can exploit the client's unbounded deserialization logic. This exploitation could result in arbitrary code execution on the client side. Although version 2.1.0 attempted to mitigate this issue by introducing allow/deny lists to restrict deserialization, this protection can be bypassed under certain conditions. In response to Microsoft's deprecation of binary serialization in .NET 9, the project is considering removing .NET binary serialization support from the NMS API in future releases.
Impact
Exploitation of this vulnerability could lead to arbitrary code execution on the client side.
Remediation
Users are advised to upgrade to version 2.4.0 or later, which addresses this vulnerability. Additionally, projects using NMS-AMQP should transition away from .NET binary serialization as part of a long-term security enhancement strategy.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.