Apache ActiveMQ 5.19.x/6.x MQTT Remaining Length Overflow
CVE-2025-66168 Published on March 4, 2026

Apache ActiveMQ, Apache ActiveMQ All Module, Apache ActiveMQ MQTT Module: MQTT control packet remaining length field is not properly validated
Apache ActiveMQ does not properly validate the remaining length field which may lead to an overflow during the decoding of malformed packets. When this integer overflow occurs, ActiveMQ may incorrectly compute the total Remaining Length and subsequently misinterpret the payload as multiple MQTT control packets which makes the broker susceptible to unexpected behavior when interacting with non-compliant clients. This behavior violates the MQTT v3.1.1 specification, which restricts Remaining Length to a maximum of 4 bytes. The scenario occurs on established connections after the authentication process. Brokers that are not enabling mqtt transport connectors are not impacted. This issue affects Apache ActiveMQ: before 5.19.2, 6.0.0 to 6.1.8, and 6.2.0 Users are recommended to upgrade to version 5.19.2, 6.1.9, or 6.2.1, which fixes the issue.

Vendor Advisory NVD

Vulnerability Analysis

CVE-2025-66168 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

Attack Vector:

NETWORK

Attack Complexity:

LOW

Privileges Required:

LOW

User Interaction:

NONE

Scope:

UNCHANGED

Confidentiality Impact:

LOW

Integrity Impact:

LOW

Availability Impact:

NONE

Weakness Type

Integer Overflow or Wraparound

The software performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control. An integer overflow or wraparound occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may wrap to become a very small or negative number. While this may be intended behavior in circumstances that rely on wrapping, it can have security consequences if the wrap is unexpected. This is especially the case if the integer overflow can be triggered using user-supplied inputs. This becomes security-critical when the result is used to control looping, make a security decision, or determine the offset or size in behaviors such as memory allocation, copying, concatenation, etc.

Products Associated with CVE-2025-66168

Want to know whenever a new CVE is published for Apache ActiveMQ? stack.watch will email you.

Apache ActiveMQ

Affected Versions

Apache Software Foundation Apache ActiveMQ:

Before 5.19.2 is affected.
Version 6.0.0 and below 6.1.9 is affected.
Version 6.2.0 and below 6.2.1 is affected.

Apache Software Foundation Apache ActiveMQ All Module:

Before 5.19.2 is affected.
Version 6.0.0 and below 6.1.9 is affected.
Version 6.2.0 and below 6.2.1 is affected.

Apache Software Foundation Apache ActiveMQ MQTT Module:

Before 5.19.2 is affected.
Version 6.0.0 and below 6.1.9 is affected.
Version 6.2.0 and below 6.2.1 is affected.

Exploit Probability

EPSS

0.12%

Percentile

30.37%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.