Does CVE-2025-50200 (RabbitMQ HTTP/s API vulnerability) affect OnlyOffice Document Server 7.5.x? #3565
Unanswered
Aaditya-Rane
asked this question in
Q&A
Does CVE-2025-50200 (RabbitMQ HTTP/s API vulnerability) affect OnlyOffice Document Server 7.5.x?
#3565
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Question
Does the RabbitMQ vulnerability CVE-2025-50200 (GHSA-gh3x-4x42-fvq8) affect OnlyOffice Document Server 7.5.x when using RabbitMQ 3.13.7?
My Setup
Vulnerability Details
CVE-2025-50200 affects RabbitMQ versions ≤ 3.13.7. The vulnerability allows logging of Basic Auth headers (with base64-encoded credentials) in plaintext when HTTP/HTTPS management API endpoints (port 15672) are used and errors occur.
Patched versions: RabbitMQ ≥ 4.0.8, ≥ 3.13.8
Reference: GHSA-gh3x-4x42-fvq8
My Understanding (Please Confirm)
Based on my research:
RABBITMQ_PASSWORDconfiguration is used for AMQP authentication, not HTTP Basic AuthQuestions
Does OnlyOffice Document Server 7.5.x use any HTTP/HTTPS endpoints to communicate with RabbitMQ, or does it exclusively use AMQP protocol (port 5672)?
If OnlyOffice only uses AMQP and the management plugin is disabled, is the risk from CVE-2025-50200 minimal/non-existent since the vulnerable HTTP endpoints are not in use?
Should I upgrade RabbitMQ to 4.0.8+ for security, or is staying on 3.13.7 acceptable given that HTTP endpoints are not used?
Are there any scenarios where OnlyOffice Document Server might use RabbitMQ's HTTP management API endpoints that I should be aware of?
Additional Context
RABBITMQ_PASSWORDfor AMQP authenticationThank you for your help and clarification!
Beta Was this translation helpful? Give feedback.
All reactions