Overview
This advisory addresses a known security vulnerability identified in a third-party dependency used within DPGW.
Vulnerability Details
- CVE ID: CVE-2025-66168
- Dependency Name: activemq-client
- Affected Version of Dependency: <=6.1.8
- Severity Score: NIST 8.8 High, CNA 5.4 Medium
Affected Versions of DPGW
- 1.13.13-REL – 1.13.16-REL
Risk Assessment & Applicability
Usage
DPGW utilizes the ActiveMQ as a message broker for Topics and Queues.
Analysis
Activemq-client is not vulnerable by itself, vulnerability lies inside the broker. In all of our deployments broker is accessible only from the localhost, so the area of the attack possibility is very limited.
Status
Affected
Severity Score in the context of DPGW: 6.1 Medium CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:H/SI:H/SA:L/MAV:L/MPR:H
Impact on DPGW
If an attacker were to successfully exploit this vulnerability in the context of our software, the potential impact would be: unexpected behavior of message broker which might lead to unavailability of our product.
Remediation & Mitigations
Scheduled fix
We scheduled release of the version 1.13.17-REL which should address this issue. Release will be at the half of March 2026.
User Actions
Users can mitigate this vulnerability by checking if they check that broker is not accessible from other then localhost loopback.