CVE-2025-29953: 
C# vulnerability analysis and mitigation

A Deserialization of Untrusted Data vulnerability (CVE-2025-29953) was discovered in Apache ActiveMQ NMS OpenWire Client affecting versions before 2.1.1. The vulnerability was disclosed on April 18, 2025, and involves unbounded deserialization in the client when connecting to untrusted servers (NVD, OSS Security).

The vulnerability stems from improper validation during deserialization of data received from untrusted servers. While version 2.1.0 introduced an allow/denylist feature to restrict deserialization, this security measure could be bypassed. The issue has been assigned a CVSS v3.1 score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating high severity across confidentiality, integrity, and availability impacts (NVD).

The vulnerability could allow malicious servers to provide crafted responses that may lead to arbitrary code execution on the client system. This poses a significant risk as it could result in complete system compromise when connecting to untrusted ActiveMQ servers (GBHackers, OSS Security).

Users are strongly recommended to upgrade to version 2.1.1, which fixes the vulnerability. Additionally, as a long-term hardening measure, users are advised to migrate away from relying on .NET binary serialization, as it has been deprecated by the .NET team starting with .NET 9. The project is considering dropping this part of the NMS API altogether (OSS Security).

The vulnerability was discovered by security researcher g7shot working with Trend Zero Day Initiative. The .NET team's deprecation of built-in .NET binary serialization has influenced the Apache ActiveMQ team to consider removing this functionality from the NMS API entirely (OSS Security).