CVE-2025-53114
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk30th percentile — higher than 30% of all known CVEs
Summary
CometD is a scalable comet implementation for web messaging. In versions 5.0.0 through 5.0.22, 6.0.0 through 6.0.18, 7.0.0 through 7.0.18, and 8.0.0 through 8.0.8, bad clients may cause the unacknowledged message queue to grow indefinitely, leading to an `OutOfMemoryError`. Versions 5.0.23, 6.0.19, 7.0.19, and 8.0.9 patch the issue.
Risk Assessment
Organizations may experience serious performance and stability issues, potentially leading to service outages. Increased memory consumption may result in application crashes.
Recommendation
It is recommended to upgrade to versions 5.0.23, 6.0.19, 7.0.19, or 8.0.9. Alternatively, disabling the acknowledgement extension can serve as a temporary workaround.
Original NVD description (English source)
CometD is a scalable comet implementation for web messaging. In versions 5.0.0 through 5.0.22, 6.0.0 through 6.0.18, 7.0.0 through 7.0.18, and 8.0.0 through 8.0.8, bad clients that always send a fixed batch value when the server is using the acknowledgement extension may cause the unacknowledged message queue to grow indefinitely, eventually causing an `OutOfMemoryError`. Versions 5.0.23, 6.0.19, 7.0.19, and 8.0.9 patch the issue. As a workaround, disable the acknowledgement extension.

