CVE-2025-27391: Apache ActiveMQ Artemis: Passwords leaking from broker properties in the debug log

6.8 CVSS

Description

Insertion of Sensitive Information into Log File vulnerability in Apache ActiveMQ Artemis. All the values of the broker properties are logged when the org.apache.activemq.artemis.core.config.impl.ConfigurationImpl logger has the debug level enabled.

This issue affects Apache ActiveMQ Artemis: from 1.5.1 before 2.40.0. It can be mitigated by restricting log access to only trusted users.

Users are recommended to upgrade to version 2.40.0, which fixes the issue.

Classification

CVE ID: CVE-2025-27391

CVSS Base Severity: MEDIUM

CVSS Base Score: 6.8

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Problem Types

CWE-532 Insertion of Sensitive Information into Log File

Affected Products

Vendor: Apache Software Foundation

Product: Apache ActiveMQ Artemis

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.02% (probability of being exploited)

EPSS Percentile: 2.24% (scored less or equal to compared to others)

EPSS Date: 2025-04-20 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-27391
https://lists.apache.org/thread/25p96cvzl1mkt29lwm2d8knklkoqolps

Timeline

2025-04-09 15:40:11 UTC
CVE

Apache ActiveMQ Artemis: Passwords leaking from broker properties in the debug log
2025-04-10 19:30:31 UTC
Github Advisory Database (Maven)

[org.apache.activemq:artemis-project] Apache ActiveMQ Artemis Vulnerable to Insertion of Sensitive Information into Log File