CVE-2025-53114 – CometD has acknowledgement extension out of memory

CVE ID :CVE-2025-53114

Published : June 18, 2026, 4:25 p.m. | 1 hour, 17 minutes ago

Description :CometD is a scalable comet implementation for web messaging. In versions 5.0.0 through 5.0.22, 6.0.0 through 6.0.18, 7.0.0 through 7.0.18, and 8.0.0 through 8.0.8, bad clients that always send a fixed batch value when the server is using the acknowledgement extension may cause the unacknowledged message queue to grow indefinitely, eventually causing an `OutOfMemoryError`. Versions 5.0.23, 6.0.19, 7.0.19, and 8.0.9 patch the issue. As a workaround, disable the acknowledgement extension.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…