cbcvebase.
CVE-2025-27817
published 2025-06-10

CVE-2025-27817: A possible arbitrary file read and SSRF vulnerability has been identified in Apache Kafka Client. Apache Kafka Clients accept configuration data for setting…

PriorityP182high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
62.37%
99.1th percentile
A possible arbitrary file read and SSRF vulnerability has been identified in Apache Kafka Client. Apache Kafka Clients accept configuration data for setting the SASL/OAUTHBEARER connection with the brokers, including "sasl.oauthbearer.token.endpoint.url" and "sasl.oauthbearer.jwks.endpoint.url". Apache Kafka allows clients to read an arbitrary file and return the content in the error log, or sending requests to an unintended location. In applications where Apache Kafka Clients configurations can be specified by an untrusted party, attackers may use the "sasl.oauthbearer.token.endpoint.url" and "sasl.oauthbearer.jwks.endpoint.url" configuratin to read arbitrary contents of the disk and environment variables or make requests to an unintended location. In particular, this flaw may be used in Apache Kafka Connect to escalate from REST API access to filesystem/environment/URL access, which may be undesirable in certain environments, including SaaS products. Since Apache Kafka 3.9.1/4.0.0, we have added a system property ("-Dorg.apache.kafka.sasl.oauthbearer.allowed.urls") to set the allowed urls in SASL JAAS configuration. In 3.9.1, it accepts all urls by default for backward compatibility. However in 4.0.0 and newer, the default value is empty list and users have to set the allowed urls explicitly.

Affected

2 ranges
VendorProductVersion rangeFixed in
apachekafka>= 3.1.0 < 3.9.13.9.1
apache_software_foundationapache_kafka_client3.1.0 – 3.9.0

Detection & IOCsextracted from sources · hover to see the quote

urlfile:///etc/passwd
commandsasl.oauthbearer.token.endpoint.url=file:///etc/passwd
otherorg.apache.kafka.common.security.oauthbearer.secured.OAuthBearerLoginCallbackHandler
otherorg.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule
  • Detect POST requests to /druid/indexer/v1/sampler containing 'sasl.oauthbearer.token.endpoint.url' with a file:// URI scheme, indicating attempted arbitrary file read via CVE-2025-27817.
  • Alert on HTTP response bodies containing both 'Malformed JWT provided' and 'RecordSupplier' with a 400 status code, which indicates a successful exploitation attempt trigger.
  • Alert on HTTP response bodies matching the regex 'root:.*:0:0:' which indicates /etc/passwd content was returned in an error log, confirming successful file read exploitation.
  • Monitor Kafka Connect REST API requests that set 'sasl.oauthbearer.token.endpoint.url' or 'sasl.oauthbearer.jwks.endpoint.url' to file:// or internal network URLs (e.g., http://127.x.x.x), as these can be used to escalate from REST API access to filesystem/environment/URL access.
  • Use Shodan/FOFA queries to identify exposed Apache Kafka Connect REST API endpoints that may be targeted: shodan 'http.title:"Apache kafka"', fofa 'title="Apache Kafka"'.
  • ·In Apache Kafka 3.9.1, the new system property '-Dorg.apache.kafka.sasl.oauthbearer.allowed.urls' accepts ALL URLs by default for backward compatibility, meaning the fix does not restrict access unless explicitly configured.
  • ·The vulnerability is only exploitable when an untrusted party can supply Kafka client configuration (e.g., via the Kafka Connect REST API). Environments where configuration is fully controlled by trusted parties have reduced exposure.
  • ·The exploit payload uses SASL_SSL security protocol with OAUTHBEARER mechanism; environments not using SASL/OAUTHBEARER are not affected by this specific attack vector.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
vendor_oracle7.5HIGH
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.