CVE-2025-27819

CWE-502 — Deserialization of Untrusted Data5 documents5 sources

Severity

7.5HIGH

EPSS

0.9%

top 24.38%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Kafka Apache Kafka

Timeline

PublishedJun 10

Description

In CVE-2023-25194, we announced the RCE/Denial of service attack via SASL JAAS JndiLoginModule configuration in Kafka Connect API. But not only Kafka Connect API is vulnerable to this attack, the Apache Kafka brokers also have this vulnerability. To exploit this vulnerability, the attacker needs to be able to connect to the Kafka cluster and have the AlterConfigs permission on the cluster resource. Since Apache Kafka 3.4.0, we have added a system property ("-Dorg.apache.kafka.disallowed.login.…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶Mavenorg.apache.kafka:kafka_2.12< 3.4.0

▶Mavenorg.apache.kafka:kafka_2.13< 3.4.0

▶NVDapache/kafka2.0.0 — 3.3.2

▶CVEListV5apache_software_foundation/apache_kafka2.0.0 — 3.3.2

🔴Vulnerability Details

GHSA

Apache Kafka Deserialization of Untrusted Data vulnerability↗2025-06-10

▶

CVEList

Apache Kafka: Possible RCE/Denial of service attack via SASL JAAS JndiLoginModule configuration↗2025-06-10

▶

OSV

Apache Kafka Deserialization of Untrusted Data vulnerability↗2025-06-10

▶

📋Vendor Advisories

Red Hat

org.apache.kafka: Kafka JNDI Login Module RCE Vulnerability↗2025-06-10

▶