CVE Catalog

CVE-2025-53114

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.38%

30th percentile — higher than 30% of all known CVEs

Summary

CometD is a scalable comet implementation for web messaging. In versions 5.0.0 through 5.0.22, 6.0.0 through 6.0.18, 7.0.0 through 7.0.18, and 8.0.0 through 8.0.8, bad clients may cause the unacknowledged message queue to grow indefinitely, leading to an `OutOfMemoryError`. Versions 5.0.23, 6.0.19, 7.0.19, and 8.0.9 patch the issue.

Risk Assessment

Organizations may experience serious performance and stability issues, potentially leading to service outages. Increased memory consumption may result in application crashes.

Recommendation

It is recommended to upgrade to versions 5.0.23, 6.0.19, 7.0.19, or 8.0.9. Alternatively, disabling the acknowledgement extension can serve as a temporary workaround.

Original NVD description (English source)

CometD is a scalable comet implementation for web messaging. In versions 5.0.0 through 5.0.22, 6.0.0 through 6.0.18, 7.0.0 through 7.0.18, and 8.0.0 through 8.0.8, bad clients that always send a fixed batch value when the server is using the acknowledgement extension may cause the unacknowledged message queue to grow indefinitely, eventually causing an `OutOfMemoryError`. Versions 5.0.23, 6.0.19, 7.0.19, and 8.0.9 patch the issue. As a workaround, disable the acknowledgement extension.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS