Apache Kafka Deserialization of Untrusted Data vulnerability

GHSA-mcwh-c9pg-xw43 · BIT-kafka-2025-27819 · CVE-2025-27819

Published Jun 10, 2025 · Modified Dec 11, 2025

Description

In CVE-2023-25194, we announced the RCE/Denial of service attack via SASL JAAS JndiLoginModule configuration in Kafka Connect API. But not only Kafka Connect API is vulnerable to this attack, the Apache Kafka brokers also have this vulnerability. To exploit this vulnerability, the attacker needs to be able to connect to the Kafka cluster and have the AlterConfigs permission on the cluster resource.

Since Apache Kafka 3.4.0, we have added a system property ("-Dorg.apache.kafka.disallowed.login.modules") to disable the problematic login modules usage in SASL JAAS configuration. Also by default "com.sun.security.auth.module.JndiLoginModule" is disabled in Apache Kafka 3.4.0, and "com.sun.security.auth.module.JndiLoginModule,com.sun.security.auth.module.LdapLoginModule" is disabled by default in in Apache Kafka 3.9.1/4.0.0

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-27819
ADVISORY https://github.com/advisories/GHSA-26f8-x7cc-wqpc
PACKAGE https://github.com/apache/kafka
WEB https://kafka.apache.org/cve-list

8.8 / 10

HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Packages

Maven/org.apache.kafka:kafka_2.10

Introduced 0

16 affected versions

0.10.0.00.10.0.10.10.1.00.10.1.10.10.2.00.10.2.10.10.2.20.8.00.8.10.8.1.10.8.2-beta0.8.2.00.8.2.10.8.2.20.9.0.00.9.0.1

Maven/org.apache.kafka:kafka_2.11

Introduced 0

33 affected versions

0.10.0.00.10.0.10.10.1.00.10.1.10.10.2.00.10.2.10.10.2.20.11.0.00.11.0.10.11.0.20.11.0.30.8.2-beta0.8.2.00.8.2.10.8.2.20.9.0.00.9.0.11.0.01.0.11.0.2 +13 more

Maven/org.apache.kafka:kafka_2.12

Fix 3.4.0

Introduced 0

49 affected versions

0.10.1.10.10.2.00.10.2.10.10.2.20.11.0.00.11.0.10.11.0.20.11.0.31.0.01.0.11.0.21.1.01.1.12.0.02.0.12.1.02.1.12.2.02.2.12.2.2 +29 more

Maven/org.apache.kafka:kafka_2.13

Fix 3.4.0

Introduced 0

27 affected versions

2.4.02.4.12.5.02.5.12.6.02.6.12.6.22.6.32.7.02.7.12.7.22.8.02.8.12.8.23.0.03.0.13.0.23.1.03.1.13.1.2 +7 more

Maven/org.apache.kafka:kafka_2.8.0

Introduced 0

4 affected versions

0.8.00.8.0-beta10.8.10.8.1.1

Maven/org.apache.kafka:kafka_2.8.2

Introduced 0

3 affected versions

0.8.00.8.0-beta10.8.1

Maven/org.apache.kafka:kafka_2.9.1

Introduced 0

8 affected versions

0.8.00.8.0-beta10.8.10.8.1.10.8.2-beta0.8.2.00.8.2.10.8.2.2

Maven/org.apache.kafka:kafka_2.9.2

Introduced 0

8 affected versions

0.8.00.8.0-beta10.8.10.8.1.10.8.2-beta0.8.2.00.8.2.10.8.2.2

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes