Acknowledgement extension out of memory — CVE-2025-53114
GitHub · GitHub · CVE-2025-53114
ID
CVE-2025-53114
CVE-2025-53114
Date
Activity
Source
GitHub
GitHub
Vendor
GitHub
GitHub
Threat
high
high
CVSS
7.5
7.5
Summary
### Impact Bad clients that always send a fixed batch value while the server is using the acknowledgement extension can cause the unacknowledged message queue to grow indefinitely, eventually resulting in an OutOfMemoryError. Such bad clients would always send: ```json { "channel": "/meta/connect", ... "ext": { "ack": 1 } } ``` The server would never clear the unacknowledged message queue, and one bad client can…
Product
maven: org.cometd.java:cometd-java-server-common
What to do
General, cautious steps (verify details in the official source):
- Prioritize patching or mitigation immediately (treat as actively risky).
- Identify affected product versions in your inventory and verify whether you are impacted.
- Apply vendor patches/updates or recommended mitigations as soon as available.
- Read the official advisory for exact affected versions and remediation steps.