DescriptionRabbitMQ is a multi-protocol messaging and streaming broker. HTTP API did not enforce an HTTP request body limit, making it vulnerable for denial of service (DoS) attacks with very large messages. An authenticated user with sufficient credentials can publish a very large messages over the HTTP API and cause target node to be terminated by an "out-of-memory killer"-like mechanism. This vulnerability has been patched in versions 3.11.24 and 3.12.7.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3687-1, DSA-5571-1
Debian Bugs1056723

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
rabbitmq-server (PTS)buster3.7.8-4vulnerable
buster (security)3.8.2-1+deb10u2fixed
bullseye (security), bullseye3.8.9-3+deb11u1fixed
bookworm, bookworm (security)3.10.8-1.1+deb12u1fixed
sid, trixie3.10.8-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs


Search for package or bug name: Reporting problems