An untrusted data deserialization vulnerability has been identified in the Apache ActiveMQ NMS AMQP client, exposing systems to potential attacks from malicious servers.
The flaw, tracked as CVE-2025-54539, has a score of 9.8 out of 10, and affects all versions up to and including 2.3.0 when connections are established to untrusted AMQP servers.
According to security experts at Endor Labs , who reported the flaw, a suitably modified remote server can exploit the client’s unconstrained deserialization logic to send manipulated responses, potentially allowing arbitrary code execution on the victim’s system.
A security mechanism based on allow/deny lists was already introduced in version 2.1.0 to limit deserialization. However, subsequent analyses showed that this protection could be bypassed under certain circumstances , thus maintaining the risk of compromise.
In parallel to the vulnerability, the Apache ActiveMQ development team announced that, in line with Microsoft’s decision to deprecate binary serialization in .NET 9 , they are evaluating whether to completely remove support for .NET binary serialization in future versions of the NMS API.
Users are strongly advised to update the client to version 2.4.0 or later , which resolves the issue.
Additionally, all projects relying on NMS-AMQP should plan a migration from .NET binary serialization as part of a broader long-term security hardening strategy.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
