CVE-2026-57212

Summary

RabbitMQ is a messaging and streaming broker. Prior to 3.13.14, 4.0.19, 4.1.10, and 4.2.5, the rabbitmq_management HTTP API accepts oversized valid JSON bodies on with_decode and direct_request paths because read_complete_body checks the accumulated size before the final chunk but not the final combined size. This issue is fixed in versions 3.13.14, 4.0.19, 4.1.10, and 4.2.5.

Affected Software

VendorProductVersion RangeStatus
rabbitmqrabbitmq-server>= 4.2.0, < 4.2.5affected
rabbitmqrabbitmq-server>= 4.1.0, < 4.1.10affected
rabbitmqrabbitmq-server>= 4.0.0, < 4.0.19affected
rabbitmqrabbitmq-server>= 3.13.0, < 3.13.14affected

Weaknesses

  • CWE-770: CWE-770: Allocation of Resources Without Limits or Throttling

References