CVE-2019-17572

MEDIUM

Apache RocketMQ 4.2.0-4.6.0 - Path Traversal via Automatic Topic Creation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-17572. PoCs published by shoucheng3.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2019-17572, a deserialization vulnerability in Apache RocketMQ. The exploit leverages insecure deserialization in the ACL module to achieve remote code execution (RCE).

Description

In Apache RocketMQ 4.2.0 to 4.6.0, when the automatic topic creation in the broker is turned on by default, an evil topic like “../../../../topic2020” is sent from rocketmq-client to the broker, a topic folder will be created in the parent directory in brokers, which leads to a directory traversal vulnerability. Users of the affected versions should apply one of the following: Upgrade to Apache RocketMQ 4.6.1 or later.

Exploits (1)

nomisec WORKING POC
by shoucheng3 · poc
https://github.com/shoucheng3/apache__rocketmq_CVE-2019-17572_4-6-0

This repository contains a functional exploit for CVE-2019-17572, a deserialization vulnerability in Apache RocketMQ. The exploit leverages insecure deserialization in the ACL module to achieve remote code execution (RCE).

Classification
Working Poc 90%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: Apache RocketMQ 4.6.0
No auth needed
Prerequisites: Network access to the RocketMQ broker · Vulnerable version of RocketMQ (4.6.0)
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 5.3
EPSS 0.0155
EPSS Percentile 81.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

CWE
CWE-22
Status published
Products (2)
apache/rocketmq 4.2.0 - 4.6.0
org.apache.rocketmq/rocketmq-broker 4.2.0 - 4.6.1Maven
Published May 14, 2020
Tracked Since Feb 18, 2026