An important security flaw in Apache ActiveMQ’s .NET client library has put developers at risk of remote code execution.
The vulnerability, tracked as CVE-2025-54539, exists in the Apache ActiveMQ NMS AMQP Client and can be triggered when the client connects to a malicious AMQP server.
Attackers can exploit this flaw to run arbitrary code on client machines, potentially leading to full system compromise.
Deserialization Flaw in the NMS AMQP Client
The issue arises from insecure deserialization logic in the NMS AMQP client library, which is used by .NET applications to communicate with AMQP message brokers.
When a client connects to a server, it processes incoming serialised objects without sufficient validation.
| CVE ID | Affected Products | CVSS 3.1 Score | Impact |
| CVE-2025-54539 | Apache ActiveMQ NMS AMQP Client ≤ 2.3.0 | Not available | Arbitrary code execution |
Malicious servers can craft responses that exploit this unbounded deserialization, causing the client to instantiate dangerous objects or execute harmful code.
Although version 2.1.0 of the client introduced allow/deny lists to limit types that could be deserialised, researchers discovered ways to bypass these restrictions under specific conditions.
As a result, any application using the NMS AMQP client up to and including version 2.3.0 remains vulnerable.
Successful exploitation of CVE-2025-54539 allows remote attackers to execute arbitrary code on the client side, leading to potential data theft, system takeover, or the deployment of additional malware.
The severity of this flaw is rated as Important by the Apache project, reflecting the high potential impact on confidentiality, integrity, and availability.
Developers and administrators should upgrade immediately to version 2.4.0 or later of the Apache ActiveMQ NMS AMQP Client, where this flaw has been fixed.
Long-term mitigation also involves moving away from .NET binary serialization entirely, as Microsoft plans to deprecate this feature in .NET 9.
Projects should adopt safer serialisation frameworks like JSON or Protocol Buffers and enforce strict type checks.
Security teams are encouraged to review their message broker configurations and ensure that clients only connect to trusted AMQP servers.
Network-level controls, such as firewall rules or VPN tunnels, can further reduce exposure by restricting access to legitimate broker endpoints.
Credit for discovering this issue goes to the Security Research Team at Endor Labs. Users seeking more information can visit the Apache ActiveMQ website or the official CVE entry for CVE-2025-54539.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
