Apache ActiveMQ is vulnerable to Remote Code Execution

GHSA-crg9-44h2-xw35 · BIT-activemq-2023-46604 · CVE-2023-46604

Published Oct 27, 2023 · Modified Nov 4, 2025

Description

Apache ActiveMQ is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath.

Users are recommended to upgrade to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3, which fixes this issue.

References

10.0 / 10

CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H/E:H

Affected Packages

Maven/org.apache.activemq:activemq-client

Fix 5.15.16, 5.16.7, 5.17.6, 5.18.3

Introduced 0, 5.16.0, 5.17.0, 5.18.0

59 affected versions

5.10.05.10.15.10.25.11.05.11.15.11.25.11.35.11.45.12.05.12.15.12.25.12.35.13.05.13.15.13.25.13.35.13.45.13.55.14.05.14.1 +39 more

Maven/org.apache.activemq:activemq-openwire-legacy

Fix 5.15.16, 5.16.7, 5.17.6, 5.18.3

Introduced 5.16.0, 5.17.0, 5.18.0, 5.8.0

59 affected versions

5.10.05.10.15.10.25.11.05.11.15.11.25.11.35.11.45.12.05.12.15.12.25.12.35.13.05.13.15.13.25.13.35.13.45.13.55.14.05.14.1 +39 more

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes