CVE-2025-66168 Overview
Apache ActiveMQ contains an integer overflow vulnerability in its MQTT protocol handler that fails to properly validate the remaining length field when decoding packets. This flaw can lead to an overflow during the decoding of malformed packets, causing the broker to incorrectly compute the total Remaining Length and subsequently misinterpret the payload as multiple MQTT control packets. This makes the broker susceptible to unexpected behavior when interacting with non-compliant clients, violating the MQTT v3.1.1 specification which restricts Remaining Length to a maximum of 4 bytes.
Critical Impact
Authenticated attackers can exploit this integer overflow to cause unexpected broker behavior, potentially leading to confidentiality, integrity, and availability impacts on the messaging infrastructure.
Affected Products
- Apache ActiveMQ versions before 5.19.2
- Apache ActiveMQ versions 6.0.0 to 6.1.8
- Apache ActiveMQ version 6.2.0
Discovery Timeline
- March 4, 2026 - CVE-2025-66168 published to NVD
- March 5, 2026 - Last updated in NVD database
Technical Details for CVE-2025-66168
Vulnerability Analysis
The vulnerability resides in how Apache ActiveMQ processes the MQTT Remaining Length field during packet decoding. According to the MQTT v3.1.1 specification, the Remaining Length field uses a variable-length encoding scheme that should be limited to a maximum of 4 bytes, representing values up to 268,435,455. However, ActiveMQ does not properly enforce this boundary, allowing an integer overflow condition when processing malformed packets with excessively large length values.
When the integer overflow occurs, ActiveMQ miscalculates the total Remaining Length, which causes the broker to misinterpret subsequent bytes in the packet as separate MQTT control packets. This packet boundary confusion can lead to processing of unintended data as valid MQTT commands, resulting in unexpected broker behavior.
The vulnerability requires an established connection after authentication, meaning attackers must first authenticate to the broker before exploitation. Organizations that have not enabled MQTT transport connectors are not affected by this vulnerability.
Root Cause
The root cause is an Integer Overflow vulnerability (CWE-190) in the MQTT packet parsing logic. The code fails to validate that the decoded Remaining Length value does not exceed the maximum allowed by the MQTT specification, and does not properly handle arithmetic operations that could result in integer wraparound when computing packet boundaries.
Attack Vector
The attack can be executed over the network by an authenticated client connecting via the MQTT transport connector. The attacker sends a malformed MQTT packet containing a Remaining Length field encoded with more than 4 bytes or values that cause integer overflow when processed. This causes the broker to miscompute packet boundaries and potentially process attacker-controlled data as valid MQTT control packets.
The vulnerability manifests in the MQTT packet decoding routine where the variable-length integer representing the Remaining Length is processed. When a malicious client sends a packet with a crafted Remaining Length field that triggers integer overflow, the broker's internal state becomes corrupted, leading to misinterpretation of the data stream. Technical details regarding the specific overflow condition can be found in the Apache Mailing List Thread.
Detection Methods for CVE-2025-66168
Indicators of Compromise
- Unusual MQTT protocol errors or exceptions in ActiveMQ broker logs
- Abnormally large or malformed MQTT packets observed in network traffic
- Multiple MQTT protocol violations from the same client connection
- Unexpected broker restarts or crashes following MQTT client connections
Detection Strategies
- Monitor ActiveMQ logs for MQTT protocol parsing exceptions and integer overflow errors
- Implement network-level inspection for MQTT packets with Remaining Length fields exceeding 4 bytes
- Deploy intrusion detection signatures targeting malformed MQTT control packets
- Monitor for authenticated MQTT sessions exhibiting anomalous packet patterns
Monitoring Recommendations
- Enable detailed logging for MQTT transport connectors in ActiveMQ
- Configure network monitoring to alert on MQTT traffic anomalies from authenticated sessions
- Implement broker health monitoring to detect unexpected behavior or performance degradation
- Review authentication logs for suspicious MQTT client connection patterns
How to Mitigate CVE-2025-66168
Immediate Actions Required
- Upgrade Apache ActiveMQ to version 5.19.2, 6.1.9, or 6.2.1 which contain the fix
- If immediate patching is not possible, consider disabling MQTT transport connectors temporarily
- Review and restrict network access to MQTT ports (typically 1883 and 8883)
- Audit and validate all MQTT client applications connecting to the broker
Patch Information
Apache has released patched versions that address this integer overflow vulnerability. Users should upgrade to one of the following fixed versions based on their current deployment:
- For versions before 5.19.2: Upgrade to 5.19.2 or later
- For versions 6.0.0 to 6.1.8: Upgrade to 6.1.9 or later
- For version 6.2.0: Upgrade to 6.2.1 or later
Refer to the Apache Mailing List Thread for official patch announcement and additional details.
Workarounds
- Disable MQTT transport connectors if not required for your deployment
- Implement network segmentation to restrict MQTT access to trusted clients only
- Deploy a Web Application Firewall (WAF) or protocol-aware firewall to filter malformed MQTT packets
- Enforce strict authentication and authorization policies for MQTT connections
# Configuration example - Disable MQTT transport connector in activemq.xml
# Comment out or remove the MQTT transport connector if not needed:
# <transportConnector name="mqtt" uri="mqtt://0.0.0.0:1883"/>
# Alternatively, restrict MQTT access to specific IP ranges:
# <transportConnector name="mqtt" uri="mqtt://192.168.1.0/24:1883"/>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
