CVE-2025-54539

CVE-2025-54539 is a Deserialization of Untrusted Data vulnerability (CWE-502) in the Apache ActiveMQ NMS AMQP Client. It affects all versions up to and including 2.3.0, specifically when the client establishes connections to untrusted AMQP servers. The flaw stems from unbounded deserialization logic in the client, which malicious servers can exploit by crafting responses that lead to arbitrary code execution on the client side. Although version 2.1.0 introduced allow/deny lists to restrict deserialization, this protection is bypassable under certain conditions. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

An attacker controlling an untrusted AMQP server can exploit this issue against clients connecting to it. No special privileges or user interaction are required, enabling remote exploitation over the network with low complexity. Successful exploitation allows arbitrary code execution on the victim's machine, potentially leading to full compromise of the client system.

Advisories recommend upgrading to version 2.4.0 or later, which resolves the vulnerability. As a long-term hardening strategy, projects using NMS-AMQP should migrate away from .NET binary serialization, aligning with Microsoft’s deprecation of it in .NET 9; the project is evaluating its full removal from the NMS API in future releases. Details are available in the Apache announcement at https://lists.apache.org/thread/9k684j07ljrshy3hxwhj5m0xjmkz1g2n and the OSS-Security mailing list at http://www.openwall.com/lists/oss-security/2025/10/15/3.