Apache ActiveMQ is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath.

Users are recommended to upgrade to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3, which fixes this issue.

Affected Packages

Maven org.apache.activemq:activemq-client

Affected versions: 0 (fixed in 5.15.16)

Maven org.apache.activemq:activemq-client

Affected versions: 5.16.0 (fixed in 5.16.7)

Maven org.apache.activemq:activemq-client

Affected versions: 5.17.0 (fixed in 5.17.6)

Maven org.apache.activemq:activemq-client

Affected versions: 5.18.0 (fixed in 5.18.3)

Maven org.apache.activemq:activemq-openwire-legacy

Affected versions: 5.8.0 (fixed in 5.15.16)

Maven org.apache.activemq:activemq-openwire-legacy

Affected versions: 5.16.0 (fixed in 5.16.7)

Maven org.apache.activemq:activemq-openwire-legacy

Affected versions: 5.17.0 (fixed in 5.17.6)

Maven org.apache.activemq:activemq-openwire-legacy

Affected versions: 5.18.0 (fixed in 5.18.3)

Related CVEs

CVE-2023-46604

Key Information

GHSA ID

GHSA-crg9-44h2-xw35

Published

October 27, 2023 3:30 PM

Last Modified

February 13, 2025 7:20 PM

CVSS Score

9.0 /10

Primary Ecosystem

Maven

Primary Package

org.apache.activemq:activemq-client

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 27, 2025 6:35 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.