CVE-2025-53114

Summary

CometD is a scalable comet implementation for web messaging. In versions 5.0.0 through 5.0.22, 6.0.0 through 6.0.18, 7.0.0 through 7.0.18, and 8.0.0 through 8.0.8, bad clients that always send a fixed batch value when the server is using the acknowledgement extension may cause the unacknowledged message queue to grow indefinitely, eventually causing an OutOfMemoryError. Versions 5.0.23, 6.0.19, 7.0.19, and 8.0.9 patch the issue. As a workaround, disable the acknowledgement extension.

Affected Software

VendorProductVersion RangeStatus
cometdcometd>= 5.0.0, < 5.0.23affected
cometdcometd>= 6.0.0, < 6.0.19affected
cometdcometd>= 7.0.0, < 7.0.19affected
cometdcometd>= 8.0.0, < 8.0.9affected

Weaknesses

  • CWE-400: CWE-400: Uncontrolled Resource Consumption

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References