CVE-2025-27817
published 2025-06-10CVE-2025-27817: A possible arbitrary file read and SSRF vulnerability has been identified in Apache Kafka Client. Apache Kafka Clients accept configuration data for setting…
PriorityP182high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
62.37%
99.1th percentile
A possible arbitrary file read and SSRF vulnerability has been identified in Apache Kafka Client. Apache Kafka Clients accept configuration data for setting the SASL/OAUTHBEARER connection with the brokers, including "sasl.oauthbearer.token.endpoint.url" and "sasl.oauthbearer.jwks.endpoint.url". Apache Kafka allows clients to read an arbitrary file and return the content in the error log, or sending requests to an unintended location. In applications where Apache Kafka Clients configurations can be specified by an untrusted party, attackers may use the "sasl.oauthbearer.token.endpoint.url" and "sasl.oauthbearer.jwks.endpoint.url" configuratin to read arbitrary contents of the disk and environment variables or make requests to an unintended location. In particular, this flaw may be used in Apache Kafka Connect to escalate from REST API access to filesystem/environment/URL access, which may be undesirable in certain environments, including SaaS products.
Since Apache Kafka 3.9.1/4.0.0, we have added a system property ("-Dorg.apache.kafka.sasl.oauthbearer.allowed.urls") to set the allowed urls in SASL JAAS configuration. In 3.9.1, it accepts all urls by default for backward compatibility. However in 4.0.0 and newer, the default value is empty list and users have to set the allowed urls explicitly.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | kafka | >= 3.1.0 < 3.9.1 | 3.9.1 |
| apache_software_foundation | apache_kafka_client | 3.1.0 – 3.9.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect POST requests to /druid/indexer/v1/sampler containing 'sasl.oauthbearer.token.endpoint.url' with a file:// URI scheme, indicating attempted arbitrary file read via CVE-2025-27817. ↗
- →Alert on HTTP response bodies containing both 'Malformed JWT provided' and 'RecordSupplier' with a 400 status code, which indicates a successful exploitation attempt trigger. ↗
- →Alert on HTTP response bodies matching the regex 'root:.*:0:0:' which indicates /etc/passwd content was returned in an error log, confirming successful file read exploitation. ↗
- →Monitor Kafka Connect REST API requests that set 'sasl.oauthbearer.token.endpoint.url' or 'sasl.oauthbearer.jwks.endpoint.url' to file:// or internal network URLs (e.g., http://127.x.x.x), as these can be used to escalate from REST API access to filesystem/environment/URL access. ↗
- →Use Shodan/FOFA queries to identify exposed Apache Kafka Connect REST API endpoints that may be targeted: shodan 'http.title:"Apache kafka"', fofa 'title="Apache Kafka"'. ↗
- ·In Apache Kafka 3.9.1, the new system property '-Dorg.apache.kafka.sasl.oauthbearer.allowed.urls' accepts ALL URLs by default for backward compatibility, meaning the fix does not restrict access unless explicitly configured. ↗
- ·The vulnerability is only exploitable when an untrusted party can supply Kafka client configuration (e.g., via the Kafka Connect REST API). Environments where configuration is fully controlled by trusted parties have reduced exposure. ↗
- ·The exploit payload uses SASL_SSL security protocol with OAUTHBEARER mechanism; environments not using SASL/OAUTHBEARER are not affected by this specific attack vector. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
vendor_oracle7.5HIGH
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Oracle
Oracle Oracle Financial Services Applications Risk Matrix: Accessibility (Apache Kafka) — CVE-2025-27817
vendor_oracle·2026-01-15·CVSS 7.5
CVE-2025-27817 [HIGH] Oracle Oracle Financial Services Applications Risk Matrix: Accessibility (Apache Kafka) — CVE-2025-27817
Oracle Oracle Financial Services Applications Risk Matrix: Accessibility (Apache Kafka) vulnerability
CVE: CVE-2025-27817
CVSS: 7.5
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpujan2026 (JAN 2026)
Oracle
Oracle Oracle Communications Applications Risk Matrix: Platform (Apache Kafka) — CVE-2025-27817
vendor_oracle·2025-10-15·CVSS 7.5
CVE-2025-27817 [HIGH] Oracle Oracle Communications Applications Risk Matrix: Platform (Apache Kafka) — CVE-2025-27817
Oracle Oracle Communications Applications Risk Matrix: Platform (Apache Kafka) vulnerability
CVE: CVE-2025-27817
CVSS: 7.5
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpuoct2025 (OCT 2025)
Oracle
Oracle Oracle Financial Services Applications Risk Matrix: Platform (Apache Kafka) — CVE-2025-27817
vendor_oracle·2025-07-15·CVSS 7.5
CVE-2025-27817 [HIGH] Oracle Oracle Financial Services Applications Risk Matrix: Platform (Apache Kafka) — CVE-2025-27817
Oracle Oracle Financial Services Applications Risk Matrix: Platform (Apache Kafka) vulnerability
CVE: CVE-2025-27817
CVSS: 7.5
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpujul2025 (JUL 2025)
Red Hat
org.apache.kafka: Kafka Client Arbitrary File Read SSRF
vendor_redhat·2025-06-10·CVSS 7.5
CVE-2025-27817 [HIGH] CWE-918 org.apache.kafka: Kafka Client Arbitrary File Read SSRF
org.apache.kafka: Kafka Client Arbitrary File Read SSRF
A possible arbitrary file read and SSRF vulnerability has been identified in Apache Kafka Client. Apache Kafka Clients accept configuration data for setting the SASL/OAUTHBEARER connection with the brokers, including "sasl.oauthbearer.token.endpoint.url" and "sasl.oauthbearer.jwks.endpoint.url". Apache Kafka allows clients to read an arbitrary file and return the content in the error log, or sending requests to an unintended location. In applications where Apache Kafka Clients configurations can be specified by an untrusted party, attackers may use the "sasl.oauthbearer.token.endpoint.url" and "sasl.oauthbearer.jwks.endpoint.url" configuratin to read arbitrary contents of the disk and environment variables or make requests to an unin
OSV
Apache Kafka Client Arbitrary File Read and Server Side Request Forgery Vulnerability
osv·2025-06-10
CVE-2025-27817 [MEDIUM] Apache Kafka Client Arbitrary File Read and Server Side Request Forgery Vulnerability
Apache Kafka Client Arbitrary File Read and Server Side Request Forgery Vulnerability
A possible arbitrary file read and SSRF vulnerability has been identified in Apache Kafka Client. Apache Kafka Clients accept configuration data for setting the SASL/OAUTHBEARER connection with the brokers, including "sasl.oauthbearer.token.endpoint.url" and "sasl.oauthbearer.jwks.endpoint.url". Apache Kafka allows clients to read an arbitrary file and return the content in the error log, or sending requests to an unintended location. In applications where Apache Kafka Clients configurations can be specified by an untrusted party, attackers may use the "sasl.oauthbearer.token.endpoint.url" and "sasl.oauthbearer.jwks.endpoint.url" configuratin to read arbitrary contents of the disk and environment variabl
GHSA
Apache Kafka Client Arbitrary File Read and Server Side Request Forgery Vulnerability
ghsa·2025-06-10
CVE-2025-27817 [MEDIUM] CWE-918 Apache Kafka Client Arbitrary File Read and Server Side Request Forgery Vulnerability
Apache Kafka Client Arbitrary File Read and Server Side Request Forgery Vulnerability
A possible arbitrary file read and SSRF vulnerability has been identified in Apache Kafka Client. Apache Kafka Clients accept configuration data for setting the SASL/OAUTHBEARER connection with the brokers, including "sasl.oauthbearer.token.endpoint.url" and "sasl.oauthbearer.jwks.endpoint.url". Apache Kafka allows clients to read an arbitrary file and return the content in the error log, or sending requests to an unintended location. In applications where Apache Kafka Clients configurations can be specified by an untrusted party, attackers may use the "sasl.oauthbearer.token.endpoint.url" and "sasl.oauthbearer.jwks.endpoint.url" configuratin to read arbitrary contents of the disk and environment variabl
VulnCheck
Apache kafka Server-Side Request Forgery (SSRF)
vulncheck·2025·CVSS 7.5
CVE-2025-27817 [HIGH] Apache kafka Server-Side Request Forgery (SSRF)
Apache kafka Server-Side Request Forgery (SSRF)
A possible arbitrary file read and SSRF vulnerability has been identified in Apache Kafka Client. Apache Kafka Clients accept configuration data for setting the SASL/OAUTHBEARER connection with the brokers, including "sasl.oauthbearer.token.endpoint.url" and "sasl.oauthbearer.jwks.endpoint.url". Apache Kafka allows clients to read an arbitrary file and return the content in the error log, or sending requests to an unintended location. In applications where Apache Kafka Clients configurations can be specified by an untrusted party, attackers may use the "sasl.oauthbearer.token.endpoint.url" and "sasl.oauthbearer.jwks.endpoint.url" configuratin to read arbitrary contents of the disk and environment variables or make requests to an unintended l
No detection rules found.
Nuclei
Apache Kafka Client - Arbitrary File Read
nuclei·CVSS 7.5
CVE-2025-27817 [HIGH] Apache Kafka Client - Arbitrary File Read
Apache Kafka Client - Arbitrary File Read
Apache Kafka Client contains arbitrary file read and server-side request forgery caused by untrusted configuration of sasl.oauthbearer.token.endpoint.url and sasl.oauthbearer.jwks.endpoint.url, letting attackers read files or send requests to unintended locations, exploit requires untrusted party to specify client configurations.
Template:
id: CVE-2025-27817
info:
name: Apache Kafka Client - Arbitrary File Read
author: 0x_Akoko
severity: high
description: |
Apache Kafka Client contains arbitrary file read and server-side request forgery caused by untrusted configuration of sasl.oauthbearer.token.endpoint.url and sasl.oauthbearer.jwks.endpoint.url, letting attackers read files or send requests to unintended locations, exploit requires untrusted
Greynoiseio
NoiseLetter March 2026
blogs_greynoiseio
NoiseLetter March 2026
Events, events… and yes, even more events. 🌍 GreyNoise has been on the move. March kept us busy with stops at eCrimes in London and SecIT in Hanover—but we’re just getting started. Over the next few months, we’ll be hitting the road for CrowdStrike CrowdTours across eight cities, heading to Glasgow to speak and sponsor CyberUK, and making our way to Tampa for H-ISAC. If you’ll be at any of these (or nearby), we’d love to connect.
And while we’ve been racking up miles, we haven’t slowed down on the research front. We’ve just released some exciting new findings—with even more coming in the next few weeks—so keep an eye out.
Thanks, as always, for being part of the GreyNoise community.
Featured
About this new report
Every enterprise firewall processes traffic from residential IP space. T
Bugzilla
CVE-2025-27817 org.apache.kafka: Kafka Client Arbitrary File Read SSRF
bugzilla·2025-06-10·CVSS 7.5
CVE-2025-27817 [HIGH] CVE-2025-27817 org.apache.kafka: Kafka Client Arbitrary File Read SSRF
CVE-2025-27817 org.apache.kafka: Kafka Client Arbitrary File Read SSRF
A possible arbitrary file read and SSRF vulnerability has been identified in Apache Kafka Client. Apache Kafka Clients accept configuration data for setting the SASL/OAUTHBEARER connection with the brokers, including "sasl.oauthbearer.token.endpoint.url" and "sasl.oauthbearer.jwks.endpoint.url". Apache Kafka allows clients to read an arbitrary file and return the content in the error log, or sending requests to an unintended location. In applications where Apache Kafka Clients configurations can be specified by an untrusted party, attackers may use the "sasl.oauthbearer.token.endpoint.url" and "sasl.oauthbearer.jwks.endpoint.url" configuratin to read arbitrary contents of the disk and environment variables or make requ
2025-06-10
Published
Exploited in the wild