PatchSiren cyber security CVE debrief
CVE-2025-53114 cometd CVE debrief
CometD, a scalable comet implementation for web messaging, has a high-severity vulnerability tracked as CVE-2025-53114. The issue affects versions 5.0.0 through 5.0.22, 6.0.0 through 6.0.18, 7.0.0 through 7.0.18, and 8.0.0 through 8.0.8. An attacker can exploit this vulnerability by sending a fixed batch value when the server uses the acknowledgement extension, potentially causing the unacknowledged message queue to grow indefinitely and leading to an OutOfMemoryError. The CVSS score for this vulnerability is 7.5, indicating a high severity. Patches are available in versions 5.0.23, 6.0.19, 7.0.19, and 8.0.9. As a workaround, disabling the acknowledgement extension can mitigate the issue.
- Vendor
- cometd
- Product
- Unknown
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-18
- Original CVE updated
- 2026-06-23
- Advisory published
- 2026-06-18
- Advisory updated
- 2026-06-23
Who should care
Users of CometD versions 5.0.0 through 5.0.22, 6.0.0 through 6.0.18, 7.0.0 through 7.0.18, and 8.0.0 through 8.0.8 should be aware of this vulnerability and take steps to patch or mitigate it. This includes administrators and developers responsible for maintaining systems that utilize CometD for web messaging.
Technical summary
CVE-2025-53114 is a denial-of-service (DoS) vulnerability in CometD, a scalable comet implementation for web messaging. The vulnerability arises from the improper handling of the acknowledgement extension by certain clients. Specifically, bad clients that always send a fixed batch value can cause the unacknowledged message queue to grow indefinitely. This growth can eventually lead to an OutOfMemoryError, causing the system to crash or become unresponsive. The vulnerability affects multiple versions of CometD, including 5.0.0 through 5.0.22, 6.0.0 through 6.0.18, 7.0.0 through 7.0.18, and 8.0.0 through 8.0.8. The CVSS score for this vulnerability is 7.5, indicating a high severity. The vulnerability can be patched by upgrading to versions 5.0.23, 6.0.19, 7.0.19, or 8.0.9. As a temporary workaround, disabling the acknowledgement extension can help mitigate the issue.
Defensive priority
High
Recommended defensive actions
- Patch to version 5.0.23, 6.0.19, 7.0.19, or 8.0.9
- Disable the acknowledgement extension if patching is not feasible
- Monitor CometD systems for unusual activity
- Verify system configurations and update as necessary
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-06-18T17:16:27.150Z and was last modified on 2026-06-23T15:50:59.400Z. The NVD entry is currently Deferred. Multiple sources, including GitHub discussions and pull requests, provide additional context and patches for the vulnerability.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-18T17:16:27.150Z and has not been modified since then. The NVD entry is currently Deferred.