CVE-2025-27819 – org.apache.kafka:kafka

Package

Manager: maven
Name: org.apache.kafka:kafka
Vulnerable Version: >=0 <3.4.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00492 pctl0.64642

Details

Apache Kafka Deserialization of Untrusted Data vulnerability In CVE-2023-25194, we announced the RCE/Denial of service attack via SASL JAAS JndiLoginModule configuration in Kafka Connect API. But not only Kafka Connect API is vulnerable to this attack, the Apache Kafka brokers also have this vulnerability. To exploit this vulnerability, the attacker needs to be able to connect to the Kafka cluster and have the AlterConfigs permission on the cluster resource. Since Apache Kafka 3.4.0, we have added a system property ("-Dorg.apache.kafka.disallowed.login.modules") to disable the problematic login modules usage in SASL JAAS configuration. Also by default "com.sun.security.auth.module.JndiLoginModule" is disabled in Apache Kafka 3.4.0, and "com.sun.security.auth.module.JndiLoginModule,com.sun.security.auth.module.LdapLoginModule" is disabled by default in in Apache Kafka 3.9.1/4.0.0

Metadata

Created: 2025-06-10T09:30:31Z
Modified: 2025-06-10T20:21:18Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-mcwh-c9pg-xw43/GHSA-mcwh-c9pg-xw43.json
CWE IDs: ["CWE-502"]
Alternative ID: GHSA-mcwh-c9pg-xw43
Finding: F096
Auto approve: 1