Back to Vulnerability Directory
MEDIUMRemediated

CVE-2025-9902

Management API path traversal in virtual host names

Technology

RabbitMQ

CVSS Score

5.4 / 10.0

Affected Versions

3.11.0 – 3.12.14

Patched In

OSSeva for RabbitMQ 3.12.14-osseva-2

Published

November 28, 2025

Remediated

December 10, 2025 (4mo ago)

Description

The RabbitMQ management plugin API does not correctly sanitize virtual host names in certain API routes, allowing an authenticated admin user to traverse paths outside the expected virtual host namespace.

Is your RabbitMQ deployment affected?

If you're running 3.11.0 – 3.12.14, you need this patch. Book a discovery call to get covered.

Book a discovery callView RabbitMQ coverage →