Acknowledgement extension out of memory

GHSA-cqgj-h8vf-4w59 · CVE-2025-53114

Published Jun 10, 2026 · Modified Jun 10, 2026

Description

Impact

Bad clients that always send a fixed batch value while the server is using the acknowledgement extension can cause the unacknowledged message queue to grow indefinitely, eventually resulting in an OutOfMemoryError.

Such bad clients would always send:

{
  "channel": "/meta/connect",
  ...
  "ext": { "ack": 1 }
}

The server would never clear the unacknowledged message queue, and one bad client can cause a server outage.

Patches

5.0.x - https://github.com/cometd/cometd/pull/2168
6.0.x - https://github.com/cometd/cometd/pull/2169
8.0.x - https://github.com/cometd/cometd/pull/2118

Workarounds

Disable the acknowledgement extension.

Resources

https://github.com/cometd/cometd/discussions/2116
https://github.com/cometd/cometd/issues/2117

References

WEB https://github.com/cometd/cometd/security/advisories/GHSA-cqgj-h8vf-4w59
WEB https://github.com/cometd/cometd/issues/2117
WEB https://github.com/cometd/cometd/pull/2118
WEB https://github.com/cometd/cometd/pull/2168
WEB https://github.com/cometd/cometd/pull/2169
PACKAGE https://github.com/cometd/cometd
WEB https://github.com/cometd/cometd/discussions/2116

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes